Add property-based tests for SBOM/VEX document ordering and Unicode normalization determinism

- Implement `SbomVexOrderingDeterminismProperties` for testing component list and vulnerability metadata hash consistency.
- Create `UnicodeNormalizationDeterminismProperties` to validate NFC normalization and Unicode string handling.
- Add project file for `StellaOps.Testing.Determinism.Properties` with necessary dependencies.
- Introduce CI/CD template validation tests including YAML syntax checks and documentation content verification.
- Create validation script for CI/CD templates ensuring all required files and structures are present.

src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Core/Services/BinaryVulnerabilityService.cs

@@ -1,6 +1,8 @@
 using System.Collections.Immutable;
 using Microsoft.Extensions.Logging;
 using StellaOps.BinaryIndex.Core.Models;
+using StellaOps.BinaryIndex.FixIndex.Models;
+using StellaOps.BinaryIndex.FixIndex.Repositories;
 
 namespace StellaOps.BinaryIndex.Core.Services;
 
@@ -10,14 +12,17 @@ namespace StellaOps.BinaryIndex.Core.Services;
 public sealed class BinaryVulnerabilityService : IBinaryVulnerabilityService
 {
     private readonly IBinaryVulnAssertionRepository _assertionRepo;
+    private readonly IFixIndexRepository? _fixIndexRepo;
     private readonly ILogger<BinaryVulnerabilityService> _logger;
 
     public BinaryVulnerabilityService(
         IBinaryVulnAssertionRepository assertionRepo,
-        ILogger<BinaryVulnerabilityService> logger)
+        ILogger<BinaryVulnerabilityService> logger,
+        IFixIndexRepository? fixIndexRepo = null)
     {
         _assertionRepo = assertionRepo;
         _logger = logger;
+        _fixIndexRepo = fixIndexRepo;
     }
 
     public async Task<ImmutableArray<BinaryVulnMatch>> LookupByIdentityAsync(
@@ -62,6 +67,66 @@ public sealed class BinaryVulnerabilityService : IBinaryVulnerabilityService
         return results.ToImmutableDictionary();
     }
 
+    public async Task<FixStatusResult?> GetFixStatusAsync(
+        string distro,
+        string release,
+        string sourcePkg,
+        string cveId,
+        CancellationToken ct = default)
+    {
+        if (_fixIndexRepo is null)
+        {
+            _logger.LogWarning("Fix index repository not configured, cannot check fix status");
+            return null;
+        }
+
+        var entry = await _fixIndexRepo.GetFixStatusAsync(distro, release, sourcePkg, cveId, ct);
+        if (entry is null)
+        {
+            _logger.LogDebug("No fix status found for {CveId} in {Distro}/{Release}/{Package}",
+                cveId, distro, release, sourcePkg);
+            return null;
+        }
+
+        return new FixStatusResult
+        {
+            State = entry.State,
+            FixedVersion = entry.FixedVersion,
+            Method = entry.Method,
+            Confidence = entry.Confidence,
+            EvidenceId = entry.EvidenceId
+        };
+    }
+
+    public async Task<ImmutableDictionary<string, FixStatusResult>> GetFixStatusBatchAsync(
+        string distro,
+        string release,
+        string sourcePkg,
+        IEnumerable<string> cveIds,
+        CancellationToken ct = default)
+    {
+        var results = new Dictionary<string, FixStatusResult>();
+
+        if (_fixIndexRepo is null)
+        {
+            _logger.LogWarning("Fix index repository not configured, cannot check fix status");
+            return results.ToImmutableDictionary();
+        }
+
+        foreach (var cveId in cveIds)
+        {
+            var status = await GetFixStatusAsync(distro, release, sourcePkg, cveId, ct);
+            if (status is not null)
+            {
+                results[cveId] = status;
+            }
+        }
+
+        _logger.LogDebug("Found fix status for {Count} CVEs in {Distro}/{Release}/{Package}",
+            results.Count, distro, release, sourcePkg);
+        return results.ToImmutableDictionary();
+    }
+
     private static MatchMethod MapMethod(string method) => method switch
     {
         "buildid_catalog" => MatchMethod.BuildIdCatalog,

src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Core/Services/IBinaryFeatureExtractor.cs

@@ -35,4 +35,12 @@ public sealed record BinaryMetadata
     public string? OsAbi { get; init; }
     public BinaryType? Type { get; init; }
     public bool IsStripped { get; init; }
+
+    // PE-specific
+    public uint? PeTimestamp { get; init; }
+    public bool? IsPe32Plus { get; init; }
+
+    // Mach-O specific
+    public bool? Is64Bit { get; init; }
+    public bool? IsUniversalBinary { get; init; }
 }

src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Core/Services/IBinaryVulnerabilityService.cs

@@ -1,5 +1,6 @@
 using System.Collections.Immutable;
 using StellaOps.BinaryIndex.Core.Models;
+using StellaOps.BinaryIndex.FixIndex.Models;
 
 namespace StellaOps.BinaryIndex.Core.Services;
 
@@ -24,6 +25,33 @@ public interface IBinaryVulnerabilityService
         IEnumerable<BinaryIdentity> identities,
         LookupOptions? options = null,
         CancellationToken ct = default);
+
+    /// <summary>
+    /// Check if a CVE is fixed for a specific distro/release/package combination.
+    /// Used for patch-aware backport detection.
+    /// </summary>
+    /// <param name="distro">Distribution name (debian, ubuntu, alpine, rhel).</param>
+    /// <param name="release">Release codename (bookworm, jammy, v3.19).</param>
+    /// <param name="sourcePkg">Source package name.</param>
+    /// <param name="cveId">CVE identifier.</param>
+    /// <param name="ct">Cancellation token.</param>
+    /// <returns>Fix status if found, null otherwise.</returns>
+    Task<FixStatusResult?> GetFixStatusAsync(
+        string distro,
+        string release,
+        string sourcePkg,
+        string cveId,
+        CancellationToken ct = default);
+
+    /// <summary>
+    /// Batch check fix status for multiple CVEs.
+    /// </summary>
+    Task<ImmutableDictionary<string, FixStatusResult>> GetFixStatusBatchAsync(
+        string distro,
+        string release,
+        string sourcePkg,
+        IEnumerable<string> cveIds,
+        CancellationToken ct = default);
 }
 
 public sealed record LookupOptions
@@ -55,3 +83,24 @@ public sealed record MatchEvidence
     public decimal? Similarity { get; init; }
     public string? MatchedFunction { get; init; }
 }
+
+/// <summary>
+/// Result of a fix status lookup from the CVE fix index.
+/// </summary>
+public sealed record FixStatusResult
+{
+    /// <summary>Fix state (fixed, vulnerable, not_affected, wontfix, unknown).</summary>
+    public required FixState State { get; init; }
+
+    /// <summary>Version where the fix was applied (if fixed).</summary>
+    public string? FixedVersion { get; init; }
+
+    /// <summary>Detection method used.</summary>
+    public required FixMethod Method { get; init; }
+
+    /// <summary>Confidence score (0.00-1.00).</summary>
+    public required decimal Confidence { get; init; }
+
+    /// <summary>Reference to the underlying evidence record.</summary>
+    public Guid? EvidenceId { get; init; }
+}

src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Core/Services/MachoFeatureExtractor.cs

@@ -0,0 +1,267 @@
+// -----------------------------------------------------------------------------
+// MachoFeatureExtractor.cs
+// Sprint: SPRINT_20251226_011_BINIDX_known_build_catalog
+// Task: BINCAT-10 - MachoFeatureExtractor for Mach-O LC_UUID extraction
+// Description: Extracts features from macOS/iOS Mach-O binaries including LC_UUID
+// -----------------------------------------------------------------------------
+
+using System.Security.Cryptography;
+using StellaOps.BinaryIndex.Core.Models;
+
+namespace StellaOps.BinaryIndex.Core.Services;
+
+/// <summary>
+/// Extracts features from macOS/iOS Mach-O binaries.
+/// Supports LC_UUID extraction, architecture detection, and dylib analysis.
+/// </summary>
+public sealed class MachoFeatureExtractor : IBinaryFeatureExtractor
+{
+    // Mach-O magic numbers
+    private const uint MH_MAGIC = 0xFEEDFACE;      // 32-bit big-endian
+    private const uint MH_CIGAM = 0xCEFAEDFE;      // 32-bit little-endian
+    private const uint MH_MAGIC_64 = 0xFEEDFACF;   // 64-bit big-endian
+    private const uint MH_CIGAM_64 = 0xCFFAEDFE;   // 64-bit little-endian
+    private const uint FAT_MAGIC = 0xCAFEBABE;     // Universal binary big-endian
+    private const uint FAT_CIGAM = 0xBEBAFECA;     // Universal binary little-endian
+
+    // Load command types
+    private const uint LC_UUID = 0x1B;             // UUID load command
+    private const uint LC_ID_DYLIB = 0x0D;         // Dylib identification
+
+    public bool CanExtract(Stream stream)
+    {
+        if (stream.Length < 4)
+            return false;
+
+        var originalPosition = stream.Position;
+        try
+        {
+            Span<byte> magic = stackalloc byte[4];
+            stream.Position = 0;
+            var read = stream.Read(magic);
+            if (read < 4)
+                return false;
+
+            var magicValue = BitConverter.ToUInt32(magic);
+            return magicValue is MH_MAGIC or MH_CIGAM or MH_MAGIC_64 or MH_CIGAM_64 or FAT_MAGIC or FAT_CIGAM;
+        }
+        finally
+        {
+            stream.Position = originalPosition;
+        }
+    }
+
+    public async Task<BinaryIdentity> ExtractIdentityAsync(Stream stream, CancellationToken ct = default)
+    {
+        var metadata = await ExtractMetadataAsync(stream, ct);
+
+        // Compute full file SHA-256
+        stream.Position = 0;
+        var fileSha256 = await ComputeSha256Async(stream, ct);
+
+        // Build binary key: macho-uuid or file hash
+        var binaryKey = metadata.BuildId != null
+            ? $"macho-uuid:{metadata.BuildId}:{fileSha256}"
+            : fileSha256;
+
+        return new BinaryIdentity
+        {
+            BinaryKey = binaryKey,
+            BuildId = metadata.BuildId,
+            BuildIdType = metadata.BuildIdType,
+            FileSha256 = fileSha256,
+            Format = metadata.Format,
+            Architecture = metadata.Architecture,
+            Type = metadata.Type,
+            IsStripped = metadata.IsStripped
+        };
+    }
+
+    public Task<BinaryMetadata> ExtractMetadataAsync(Stream stream, CancellationToken ct = default)
+    {
+        stream.Position = 0;
+
+        Span<byte> header = stackalloc byte[32];
+        var read = stream.Read(header);
+        if (read < 4)
+            throw new InvalidDataException("Stream too short for Mach-O header");
+
+        var magicValue = BitConverter.ToUInt32(header[..4]);
+
+        // Handle universal (fat) binaries by reading first slice
+        if (magicValue is FAT_MAGIC or FAT_CIGAM)
+        {
+            return ExtractFatBinaryMetadataAsync(stream, magicValue == FAT_CIGAM);
+        }
+
+        var needsSwap = magicValue is MH_CIGAM or MH_CIGAM_64;
+        var is64Bit = magicValue is MH_MAGIC_64 or MH_CIGAM_64;
+
+        return Task.FromResult(ParseMachHeader(stream, header, is64Bit, needsSwap));
+    }
+
+    private static BinaryMetadata ParseMachHeader(Stream stream, ReadOnlySpan<byte> header, bool is64Bit, bool needsSwap)
+    {
+        // Mach-O header layout:
+        // 0-4: magic
+        // 4-8: cputype
+        // 8-12: cpusubtype
+        // 12-16: filetype
+        // 16-20: ncmds
+        // 20-24: sizeofcmds
+        // 24-28: flags
+        // (64-bit only) 28-32: reserved
+
+        var cpuType = ReadInt32(header[4..8], needsSwap);
+        var fileType = ReadUInt32(header[12..16], needsSwap);
+        var ncmds = ReadUInt32(header[16..20], needsSwap);
+        var sizeOfCmds = ReadUInt32(header[20..24], needsSwap);
+
+        var headerSize = is64Bit ? 32 : 28;
+        var architecture = MapCpuType(cpuType);
+        var type = MapFileType(fileType);
+
+        // Parse load commands to find LC_UUID
+        string? uuid = null;
+        var isStripped = true;
+
+        stream.Position = headerSize;
+        var cmdBuffer = new byte[sizeOfCmds];
+        stream.Read(cmdBuffer);
+
+        var offset = 0;
+        for (var i = 0; i < ncmds && offset < cmdBuffer.Length - 8; i++)
+        {
+            var cmd = ReadUInt32(cmdBuffer.AsSpan(offset, 4), needsSwap);
+            var cmdSize = ReadUInt32(cmdBuffer.AsSpan(offset + 4, 4), needsSwap);
+
+            if (cmd == LC_UUID && cmdSize >= 24)
+            {
+                // UUID is at offset 8-24 in the load command
+                var uuidBytes = cmdBuffer.AsSpan(offset + 8, 16);
+                uuid = FormatUuid(uuidBytes);
+            }
+
+            // Check for symbol table (indicates not stripped)
+            if (cmd == 0x02 || cmd == 0x0B) // LC_SYMTAB or LC_DYSYMTAB
+            {
+                isStripped = false;
+            }
+
+            offset += (int)cmdSize;
+        }
+
+        return new BinaryMetadata
+        {
+            Format = BinaryFormat.Macho,
+            Architecture = architecture,
+            BuildId = uuid,
+            BuildIdType = uuid != null ? "macho-uuid" : null,
+            Type = type,
+            IsStripped = isStripped,
+            Is64Bit = is64Bit
+        };
+    }
+
+    private Task<BinaryMetadata> ExtractFatBinaryMetadataAsync(Stream stream, bool needsSwap)
+    {
+        // Fat binary header:
+        // 0-4: magic
+        // 4-8: nfat_arch
+        stream.Position = 4;
+        Span<byte> nArchBytes = stackalloc byte[4];
+        stream.Read(nArchBytes);
+        var nArch = ReadUInt32(nArchBytes, needsSwap);
+
+        if (nArch == 0)
+            throw new InvalidDataException("Empty fat binary");
+
+        // Read first fat_arch entry to get offset to first slice
+        // fat_arch: cputype(4), cpusubtype(4), offset(4), size(4), align(4)
+        Span<byte> fatArch = stackalloc byte[20];
+        stream.Read(fatArch);
+
+        var sliceOffset = ReadUInt32(fatArch[8..12], needsSwap);
+        var sliceSize = ReadUInt32(fatArch[12..16], needsSwap);
+
+        // Read the Mach-O header from the first slice
+        stream.Position = sliceOffset;
+        Span<byte> sliceHeader = stackalloc byte[32];
+        stream.Read(sliceHeader);
+
+        var sliceMagic = BitConverter.ToUInt32(sliceHeader[..4]);
+        var sliceNeedsSwap = sliceMagic is MH_CIGAM or MH_CIGAM_64;
+        var sliceIs64Bit = sliceMagic is MH_MAGIC_64 or MH_CIGAM_64;
+
+        // Adjust stream position for load command parsing
+        stream.Position = sliceOffset;
+
+        var metadata = ParseMachHeader(stream, sliceHeader, sliceIs64Bit, sliceNeedsSwap);
+        return Task.FromResult(metadata with { IsUniversalBinary = true });
+    }
+
+    private static string MapCpuType(int cpuType) => cpuType switch
+    {
+        0x01000007 => "x86_64",       // CPU_TYPE_X86_64
+        0x00000007 => "x86",          // CPU_TYPE_X86
+        0x0100000C => "aarch64",      // CPU_TYPE_ARM64
+        0x0000000C => "arm",          // CPU_TYPE_ARM
+        _ => $"unknown-{cpuType:X}"
+    };
+
+    private static BinaryType MapFileType(uint fileType) => fileType switch
+    {
+        0x02 => BinaryType.Executable,      // MH_EXECUTE
+        0x06 => BinaryType.SharedLibrary,   // MH_DYLIB
+        0x08 => BinaryType.SharedLibrary,   // MH_BUNDLE
+        0x01 => BinaryType.Object,          // MH_OBJECT
+        0x09 => BinaryType.SharedLibrary,   // MH_DYLIB_STUB
+        _ => BinaryType.Executable
+    };
+
+    private static string FormatUuid(ReadOnlySpan<byte> uuidBytes)
+    {
+        // Mach-O UUID is stored as 16 raw bytes
+        // Format as standard UUID string (8-4-4-4-12)
+        return $"{Convert.ToHexString(uuidBytes[..4])}-" +
+               $"{Convert.ToHexString(uuidBytes[4..6])}-" +
+               $"{Convert.ToHexString(uuidBytes[6..8])}-" +
+               $"{Convert.ToHexString(uuidBytes[8..10])}-" +
+               $"{Convert.ToHexString(uuidBytes[10..16])}".ToUpperInvariant();
+    }
+
+    private static uint ReadUInt32(ReadOnlySpan<byte> bytes, bool swap)
+    {
+        var value = BitConverter.ToUInt32(bytes);
+        return swap ? BinaryPrimitives.ReverseEndianness(value) : value;
+    }
+
+    private static int ReadInt32(ReadOnlySpan<byte> bytes, bool swap)
+    {
+        var value = BitConverter.ToInt32(bytes);
+        return swap ? BinaryPrimitives.ReverseEndianness(value) : value;
+    }
+
+    private static async Task<string> ComputeSha256Async(Stream stream, CancellationToken ct)
+    {
+        stream.Position = 0;
+        var hash = await SHA256.HashDataAsync(stream, ct);
+        return Convert.ToHexString(hash).ToLowerInvariant();
+    }
+}
+
+file static class BinaryPrimitives
+{
+    public static uint ReverseEndianness(uint value)
+    {
+        return ((value & 0x000000FF) << 24) |
+               ((value & 0x0000FF00) << 8) |
+               ((value & 0x00FF0000) >> 8) |
+               ((value & 0xFF000000) >> 24);
+    }
+
+    public static int ReverseEndianness(int value)
+    {
+        return (int)ReverseEndianness((uint)value);
+    }
+}

src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Core/Services/PeFeatureExtractor.cs

@@ -0,0 +1,253 @@
+// -----------------------------------------------------------------------------
+// PeFeatureExtractor.cs
+// Sprint: SPRINT_20251226_011_BINIDX_known_build_catalog
+// Task: BINCAT-09 - PeFeatureExtractor for Windows PE CodeView GUID extraction
+// Description: Extracts features from Windows PE binaries including CodeView GUID
+// -----------------------------------------------------------------------------
+
+using System.Security.Cryptography;
+using System.Text;
+using StellaOps.BinaryIndex.Core.Models;
+
+namespace StellaOps.BinaryIndex.Core.Services;
+
+/// <summary>
+/// Extracts features from Windows PE (Portable Executable) binaries.
+/// Supports CodeView GUID extraction, import hash (imphash), and security flags.
+/// </summary>
+public sealed class PeFeatureExtractor : IBinaryFeatureExtractor
+{
+    // DOS header magic: MZ
+    private static readonly byte[] DosMagic = [0x4D, 0x5A]; // "MZ"
+
+    // PE signature: PE\0\0
+    private static readonly byte[] PeSignature = [0x50, 0x45, 0x00, 0x00];
+
+    public bool CanExtract(Stream stream)
+    {
+        if (stream.Length < 64) // Minimum DOS header size
+            return false;
+
+        var originalPosition = stream.Position;
+        try
+        {
+            Span<byte> magic = stackalloc byte[2];
+            stream.Position = 0;
+            var read = stream.Read(magic);
+            return read == 2 && magic.SequenceEqual(DosMagic);
+        }
+        finally
+        {
+            stream.Position = originalPosition;
+        }
+    }
+
+    public async Task<BinaryIdentity> ExtractIdentityAsync(Stream stream, CancellationToken ct = default)
+    {
+        var metadata = await ExtractMetadataAsync(stream, ct);
+
+        // Compute full file SHA-256
+        stream.Position = 0;
+        var fileSha256 = await ComputeSha256Async(stream, ct);
+
+        // Build binary key: pe-cv GUID or file hash
+        var binaryKey = metadata.BuildId != null
+            ? $"pe-cv:{metadata.BuildId}:{fileSha256}"
+            : fileSha256;
+
+        return new BinaryIdentity
+        {
+            BinaryKey = binaryKey,
+            BuildId = metadata.BuildId,
+            BuildIdType = metadata.BuildIdType,
+            FileSha256 = fileSha256,
+            Format = metadata.Format,
+            Architecture = metadata.Architecture,
+            Type = metadata.Type,
+            IsStripped = metadata.IsStripped
+        };
+    }
+
+    public Task<BinaryMetadata> ExtractMetadataAsync(Stream stream, CancellationToken ct = default)
+    {
+        stream.Position = 0;
+
+        // Read DOS header to get PE header offset
+        Span<byte> dosHeader = stackalloc byte[64];
+        var read = stream.Read(dosHeader);
+        if (read < 64)
+            throw new InvalidDataException("Stream too short for DOS header");
+
+        // e_lfanew is at offset 0x3C (60)
+        var peOffset = BitConverter.ToInt32(dosHeader[0x3C..0x40]);
+        if (peOffset < 0 || peOffset > stream.Length - 24)
+            throw new InvalidDataException("Invalid PE header offset");
+
+        // Read PE signature and COFF header
+        stream.Position = peOffset;
+        Span<byte> peHeader = stackalloc byte[24];
+        read = stream.Read(peHeader);
+        if (read < 24)
+            throw new InvalidDataException("Stream too short for PE header");
+
+        // Verify PE signature
+        if (!peHeader[..4].SequenceEqual(PeSignature))
+            throw new InvalidDataException("Invalid PE signature");
+
+        // Parse COFF header (after PE signature)
+        var machine = BitConverter.ToUInt16(peHeader[4..6]);
+        var numberOfSections = BitConverter.ToUInt16(peHeader[6..8]);
+        var timeDateStamp = BitConverter.ToUInt32(peHeader[8..12]);
+        var characteristics = BitConverter.ToUInt16(peHeader[22..24]);
+
+        // Read optional header to determine PE32 vs PE32+
+        Span<byte> optionalMagic = stackalloc byte[2];
+        stream.Read(optionalMagic);
+        var isPe32Plus = BitConverter.ToUInt16(optionalMagic) == 0x20B;
+
+        var architecture = MapMachine(machine);
+        var type = MapCharacteristics(characteristics);
+        var codeViewGuid = ExtractCodeViewGuid(stream, peOffset, isPe32Plus);
+
+        return Task.FromResult(new BinaryMetadata
+        {
+            Format = BinaryFormat.Pe,
+            Architecture = architecture,
+            BuildId = codeViewGuid,
+            BuildIdType = codeViewGuid != null ? "pe-cv" : null,
+            Type = type,
+            IsStripped = !HasDebugInfo(stream, peOffset, isPe32Plus),
+            PeTimestamp = timeDateStamp,
+            IsPe32Plus = isPe32Plus
+        });
+    }
+
+    /// <summary>
+    /// Extract CodeView GUID from PE debug directory.
+    /// </summary>
+    private static string? ExtractCodeViewGuid(Stream stream, int peOffset, bool isPe32Plus)
+    {
+        try
+        {
+            // Calculate optional header size offset
+            stream.Position = peOffset + 20; // After COFF header
+            Span<byte> sizeOfOptionalHeader = stackalloc byte[2];
+            stream.Read(sizeOfOptionalHeader);
+            var optionalHeaderSize = BitConverter.ToUInt16(sizeOfOptionalHeader);
+
+            if (optionalHeaderSize < 128)
+                return null;
+
+            // Debug directory is data directory #6
+            // Offset depends on PE32 vs PE32+
+            var dataDirectoryOffset = isPe32Plus ? 112 : 96;
+            var debugDirectoryRva = peOffset + 24 + dataDirectoryOffset + (6 * 8);
+
+            if (debugDirectoryRva + 8 > stream.Length)
+                return null;
+
+            stream.Position = debugDirectoryRva;
+            Span<byte> debugDir = stackalloc byte[8];
+            stream.Read(debugDir);
+
+            var debugRva = BitConverter.ToUInt32(debugDir[..4]);
+            var debugSize = BitConverter.ToUInt32(debugDir[4..8]);
+
+            if (debugRva == 0 || debugSize == 0)
+                return null;
+
+            // For simplicity, assume RVA == file offset (not always true in real PE)
+            // In production, would need to resolve RVA to file offset via section table
+            if (debugRva + 28 > stream.Length)
+                return null;
+
+            stream.Position = debugRva;
+            Span<byte> debugEntry = stackalloc byte[28];
+            var read = stream.Read(debugEntry);
+            if (read < 28)
+                return null;
+
+            var type = BitConverter.ToUInt32(debugEntry[12..16]);
+            if (type != 2) // IMAGE_DEBUG_TYPE_CODEVIEW
+                return null;
+
+            var pointerToRawData = BitConverter.ToUInt32(debugEntry[24..28]);
+            if (pointerToRawData + 24 > stream.Length)
+                return null;
+
+            // Read CodeView header
+            stream.Position = pointerToRawData;
+            Span<byte> cvHeader = stackalloc byte[24];
+            read = stream.Read(cvHeader);
+            if (read < 24)
+                return null;
+
+            // Check for RSDS signature (PDB 7.0)
+            if (cvHeader[0] == 'R' && cvHeader[1] == 'S' && cvHeader[2] == 'D' && cvHeader[3] == 'S')
+            {
+                // GUID is at offset 4, 16 bytes
+                var guidBytes = cvHeader[4..20];
+                var age = BitConverter.ToUInt32(cvHeader[20..24]);
+
+                // Format as GUID string with age
+                var guid = new Guid(guidBytes.ToArray());
+                return $"{guid:N}{age:X}".ToUpperInvariant();
+            }
+
+            return null;
+        }
+        catch
+        {
+            return null;
+        }
+    }
+
+    private static bool HasDebugInfo(Stream stream, int peOffset, bool isPe32Plus)
+    {
+        try
+        {
+            var dataDirectoryOffset = isPe32Plus ? 112 : 96;
+            var debugDirectoryRva = peOffset + 24 + dataDirectoryOffset + (6 * 8);
+
+            if (debugDirectoryRva + 8 > stream.Length)
+                return false;
+
+            stream.Position = debugDirectoryRva;
+            Span<byte> debugDir = stackalloc byte[8];
+            stream.Read(debugDir);
+
+            var debugRva = BitConverter.ToUInt32(debugDir[..4]);
+            return debugRva != 0;
+        }
+        catch
+        {
+            return false;
+        }
+    }
+
+    private static string MapMachine(ushort machine) => machine switch
+    {
+        0x8664 => "x86_64",
+        0x014C => "x86",
+        0xAA64 => "aarch64",
+        0x01C4 => "arm",
+        0x5064 => "riscv64",
+        _ => $"unknown-{machine:X4}"
+    };
+
+    private static BinaryType MapCharacteristics(ushort characteristics)
+    {
+        if ((characteristics & 0x2000) != 0) // IMAGE_FILE_DLL
+            return BinaryType.SharedLibrary;
+        if ((characteristics & 0x0002) != 0) // IMAGE_FILE_EXECUTABLE_IMAGE
+            return BinaryType.Executable;
+        return BinaryType.Object;
+    }
+
+    private static async Task<string> ComputeSha256Async(Stream stream, CancellationToken ct)
+    {
+        stream.Position = 0;
+        var hash = await SHA256.HashDataAsync(stream, ct);
+        return Convert.ToHexString(hash).ToLowerInvariant();
+    }
+}

src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Corpus.Alpine/AlpineCorpusConnector.cs

@@ -0,0 +1,157 @@
+// -----------------------------------------------------------------------------
+// AlpineCorpusConnector.cs
+// Sprint: SPRINT_20251226_012_BINIDX_backport_handling
+// Task: BACKPORT-16 — Create AlpineCorpusConnector for Alpine APK
+// -----------------------------------------------------------------------------
+
+using System.Runtime.CompilerServices;
+using Microsoft.Extensions.Logging;
+using StellaOps.BinaryIndex.Core.Models;
+using StellaOps.BinaryIndex.Core.Services;
+using StellaOps.BinaryIndex.Corpus;
+
+namespace StellaOps.BinaryIndex.Corpus.Alpine;
+
+/// <summary>
+/// Alpine Linux corpus connector implementation.
+/// Fetches packages from Alpine mirrors and extracts binaries.
+/// </summary>
+public sealed class AlpineCorpusConnector : IBinaryCorpusConnector
+{
+    private readonly IAlpinePackageSource _packageSource;
+    private readonly AlpinePackageExtractor _extractor;
+    private readonly IBinaryFeatureExtractor _featureExtractor;
+    private readonly ICorpusSnapshotRepository _snapshotRepo;
+    private readonly ILogger<AlpineCorpusConnector> _logger;
+
+    private const string DefaultMirror = "https://dl-cdn.alpinelinux.org/alpine";
+
+    public string ConnectorId => "alpine";
+    public string[] SupportedDistros => ["alpine"];
+
+    public AlpineCorpusConnector(
+        IAlpinePackageSource packageSource,
+        AlpinePackageExtractor extractor,
+        IBinaryFeatureExtractor featureExtractor,
+        ICorpusSnapshotRepository snapshotRepo,
+        ILogger<AlpineCorpusConnector> logger)
+    {
+        _packageSource = packageSource;
+        _extractor = extractor;
+        _featureExtractor = featureExtractor;
+        _snapshotRepo = snapshotRepo;
+        _logger = logger;
+    }
+
+    public async Task<CorpusSnapshot> FetchSnapshotAsync(CorpusQuery query, CancellationToken ct = default)
+    {
+        _logger.LogInformation(
+            "Fetching Alpine corpus snapshot for {Release}/{Architecture}",
+            query.Release, query.Architecture);
+
+        // Check if we already have a snapshot for this query
+        var existing = await _snapshotRepo.FindByKeyAsync(
+            query.Distro,
+            query.Release,
+            query.Architecture,
+            ct);
+
+        if (existing != null)
+        {
+            _logger.LogInformation("Using existing snapshot {SnapshotId}", existing.Id);
+            return existing;
+        }
+
+        // Fetch APKINDEX to compute metadata digest
+        var packages = await _packageSource.FetchPackageIndexAsync(
+            query.Release,
+            query.Architecture,
+            ct);
+
+        var packageList = packages.ToList();
+        var metadataDigest = ComputeMetadataDigest(packageList);
+
+        var snapshot = new CorpusSnapshot(
+            Id: Guid.NewGuid(),
+            Distro: "alpine",
+            Release: query.Release,
+            Architecture: query.Architecture,
+            MetadataDigest: metadataDigest,
+            CapturedAt: DateTimeOffset.UtcNow);
+
+        await _snapshotRepo.CreateAsync(snapshot, ct);
+
+        _logger.LogInformation(
+            "Created Alpine corpus snapshot {SnapshotId} with {PackageCount} packages",
+            snapshot.Id, packageList.Count);
+
+        return snapshot;
+    }
+
+    public async IAsyncEnumerable<PackageInfo> ListPackagesAsync(
+        CorpusSnapshot snapshot,
+        [EnumeratorCancellation] CancellationToken ct = default)
+    {
+        _logger.LogDebug("Listing packages for snapshot {SnapshotId}", snapshot.Id);
+
+        var packages = await _packageSource.FetchPackageIndexAsync(
+            snapshot.Release,
+            snapshot.Architecture,
+            ct);
+
+        foreach (var pkg in packages)
+        {
+            yield return new PackageInfo(
+                Name: pkg.PackageName,
+                Version: pkg.Version,
+                SourcePackage: pkg.Origin ?? pkg.PackageName,
+                Architecture: pkg.Architecture,
+                Filename: pkg.Filename,
+                Size: pkg.Size,
+                Sha256: pkg.Checksum);
+        }
+    }
+
+    public async IAsyncEnumerable<ExtractedBinary> ExtractBinariesAsync(
+        PackageInfo pkg,
+        [EnumeratorCancellation] CancellationToken ct = default)
+    {
+        _logger.LogDebug("Extracting binaries from Alpine package {Package} {Version}", pkg.Name, pkg.Version);
+
+        Stream? apkStream = null;
+        try
+        {
+            // Download the .apk package
+            apkStream = await _packageSource.DownloadPackageAsync(pkg.Filename, ct);
+
+            // Extract binaries using AlpinePackageExtractor
+            var extractedBinaries = await _extractor.ExtractBinariesAsync(apkStream, pkg, ct);
+
+            foreach (var binary in extractedBinaries)
+            {
+                yield return new ExtractedBinary(
+                    Identity: binary.Identity,
+                    PathInPackage: binary.FilePath,
+                    Package: pkg);
+            }
+        }
+        finally
+        {
+            if (apkStream != null)
+            {
+                await apkStream.DisposeAsync();
+            }
+        }
+    }
+
+    private static string ComputeMetadataDigest(IEnumerable<AlpinePackageMetadata> packages)
+    {
+        var combined = string.Join("|", packages
+            .OrderBy(p => p.PackageName)
+            .Select(p => $"{p.PackageName}:{p.Version}:{p.Checksum}"));
+
+        using var sha256 = System.Security.Cryptography.SHA256.Create();
+        var hash = sha256.ComputeHash(System.Text.Encoding.UTF8.GetBytes(combined));
+        return Convert.ToHexString(hash).ToLowerInvariant();
+    }
+}

src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Corpus.Alpine/AlpinePackageExtractor.cs

@@ -0,0 +1,131 @@
+// -----------------------------------------------------------------------------
+// AlpinePackageExtractor.cs
+// Sprint: SPRINT_20251226_012_BINIDX_backport_handling
+// Task: BACKPORT-16 — Create AlpineCorpusConnector for Alpine APK
+// -----------------------------------------------------------------------------
+
+using Microsoft.Extensions.Logging;
+using SharpCompress.Archives;
+using SharpCompress.Archives.Tar;
+using SharpCompress.Compressors.Deflate;
+using StellaOps.BinaryIndex.Core.Models;
+using StellaOps.BinaryIndex.Core.Services;
+using StellaOps.BinaryIndex.Corpus;
+
+namespace StellaOps.BinaryIndex.Corpus.Alpine;
+
+/// <summary>
+/// Extracts binaries from Alpine .apk packages.
+/// </summary>
+public sealed class AlpinePackageExtractor
+{
+    private readonly IBinaryFeatureExtractor _featureExtractor;
+    private readonly ILogger<AlpinePackageExtractor> _logger;
+
+    // ELF magic bytes
+    private static readonly byte[] ElfMagic = [0x7F, 0x45, 0x4C, 0x46];
+
+    public AlpinePackageExtractor(
+        IBinaryFeatureExtractor featureExtractor,
+        ILogger<AlpinePackageExtractor> logger)
+    {
+        _featureExtractor = featureExtractor;
+        _logger = logger;
+    }
+
+    /// <summary>
+    /// Extracts ELF binaries from an Alpine .apk package.
+    /// </summary>
+    /// <param name="apkStream">Stream containing the .apk package.</param>
+    /// <param name="pkg">Package metadata.</param>
+    /// <param name="ct">Cancellation token.</param>
+    /// <returns>Extracted binaries with identity information.</returns>
+    public async Task<IReadOnlyList<ExtractedBinaryInfo>> ExtractBinariesAsync(
+        Stream apkStream,
+        PackageInfo pkg,
+        CancellationToken ct = default)
+    {
+        var results = new List<ExtractedBinaryInfo>();
+
+        // APK is gzipped tar: signature.tar.gz + control.tar.gz + data.tar.gz
+        // We need to extract data.tar.gz which contains the actual files
+        try
+        {
+            var dataTar = await ExtractDataTarAsync(apkStream, ct);
+            if (dataTar == null)
+            {
+                _logger.LogWarning("Could not find data.tar in {Package}", pkg.Name);
+                return results;
+            }
+
+            using var archive = TarArchive.Open(dataTar);
+            foreach (var entry in archive.Entries.Where(e => !e.IsDirectory))
+            {
+                ct.ThrowIfCancellationRequested();
+
+                // Check if this is an ELF binary
+                using var entryStream = entry.OpenEntryStream();
+                using var ms = new MemoryStream();
+                await entryStream.CopyToAsync(ms, ct);
+                ms.Position = 0;
+
+                if (!IsElfBinary(ms))
+                {
+                    continue;
+                }
+
+                ms.Position = 0;
+
+                try
+                {
+                    var identity = await _featureExtractor.ExtractIdentityAsync(ms, entry.Key ?? "", ct);
+                    results.Add(new ExtractedBinaryInfo(identity, entry.Key ?? ""));
+                }
+                catch (Exception ex)
+                {
+                    _logger.LogWarning(ex, "Failed to extract identity from {File} in {Package}",
+                        entry.Key, pkg.Name);
+                }
+            }
+        }
+        catch (Exception ex)
+        {
+            _logger.LogError(ex, "Failed to extract binaries from Alpine package {Package}", pkg.Name);
+        }
+
+        return results;
+    }
+
+    private static async Task<Stream?> ExtractDataTarAsync(Stream apkStream, CancellationToken ct)
+    {
+        // APK packages contain multiple gzipped tar archives concatenated
+        // We need to skip to the data.tar.gz portion
+        // The structure is: signature.tar.gz + control.tar.gz + data.tar.gz
+
+        using var gzip = new GZipStream(apkStream, SharpCompress.Compressors.CompressionMode.Decompress, leaveOpen: true);
+        using var ms = new MemoryStream();
+        await gzip.CopyToAsync(ms, ct);
+        ms.Position = 0;
+
+        // For simplicity, we'll just try to extract from the combined tar
+        // In a real implementation, we'd need to properly parse the multi-part structure
+        return ms;
+    }
+
+    private static bool IsElfBinary(Stream stream)
+    {
+        if (stream.Length < 4)
+            return false;
+
+        var buffer = new byte[4];
+        var read = stream.Read(buffer, 0, 4);
+        stream.Position = 0;
+
+        return read == 4 && buffer.AsSpan().SequenceEqual(ElfMagic);
+    }
+}
+
+/// <summary>
+/// Information about an extracted binary.
+/// </summary>
+public sealed record ExtractedBinaryInfo(BinaryIdentity Identity, string FilePath);

src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Corpus.Alpine/ApkBuildSecfixesExtractor.cs

@@ -0,0 +1,111 @@
+// -----------------------------------------------------------------------------
+// ApkBuildSecfixesExtractor.cs
+// Sprint: SPRINT_20251226_012_BINIDX_backport_handling
+// Task: BACKPORT-17 — Implement APKBUILD secfixes extraction
+// -----------------------------------------------------------------------------
+
+using Microsoft.Extensions.Logging;
+using StellaOps.BinaryIndex.FixIndex.Models;
+using StellaOps.BinaryIndex.FixIndex.Parsers;
+using StellaOps.BinaryIndex.FixIndex.Services;
+
+namespace StellaOps.BinaryIndex.Corpus.Alpine;
+
+/// <summary>
+/// Extracts security fix information from Alpine APKBUILD files.
+/// </summary>
+public sealed class ApkBuildSecfixesExtractor
+{
+    private readonly IAlpinePackageSource _packageSource;
+    private readonly AlpineSecfixesParser _secfixesParser;
+    private readonly IFixIndexBuilder _fixIndexBuilder;
+    private readonly ILogger<ApkBuildSecfixesExtractor> _logger;
+
+    public ApkBuildSecfixesExtractor(
+        IAlpinePackageSource packageSource,
+        IFixIndexBuilder fixIndexBuilder,
+        ILogger<ApkBuildSecfixesExtractor> logger)
+    {
+        _packageSource = packageSource;
+        _secfixesParser = new AlpineSecfixesParser();
+        _fixIndexBuilder = fixIndexBuilder;
+        _logger = logger;
+    }
+
+    /// <summary>
+    /// Extracts fix evidence from an APKBUILD file for a package.
+    /// </summary>
+    /// <param name="release">Alpine release (e.g., v3.19, edge).</param>
+    /// <param name="repository">Repository (main, community).</param>
+    /// <param name="packageName">Package name.</param>
+    /// <param name="snapshotId">Corpus snapshot ID.</param>
+    /// <param name="ct">Cancellation token.</param>
+    /// <returns>Fix evidence entries extracted from the APKBUILD.</returns>
+    public async Task<IReadOnlyList<FixEvidence>> ExtractSecfixesAsync(
+        string release,
+        string repository,
+        string packageName,
+        Guid snapshotId,
+        CancellationToken ct = default)
+    {
+        _logger.LogDebug(
+            "Fetching APKBUILD for {Package} in {Release}/{Repository}",
+            packageName, release, repository);
+
+        var apkbuild = await _packageSource.FetchApkBuildAsync(release, repository, packageName, ct);
+        if (string.IsNullOrWhiteSpace(apkbuild))
+        {
+            _logger.LogDebug("No APKBUILD found for {Package}", packageName);
+            return [];
+        }
+
+        // Use the fix index builder for Alpine
+        var request = new AlpineFixIndexRequest
+        {
+            Release = release,
+            SourcePkg = packageName,
+            ApkBuild = apkbuild,
+            SnapshotId = snapshotId
+        };
+
+        var results = new List<FixEvidence>();
+        await foreach (var evidence in _fixIndexBuilder.BuildAlpineIndexAsync(request, ct))
+        {
+            results.Add(evidence);
+        }
+
+        _logger.LogInformation(
+            "Extracted {Count} CVE fixes from APKBUILD for {Package} in {Release}",
+            results.Count, packageName, release);
+
+        return results;
+    }
+
+    /// <summary>
+    /// Batch extracts fix evidence for multiple packages.
+    /// </summary>
+    /// <param name="release">Alpine release.</param>
+    /// <param name="repository">Repository.</param>
+    /// <param name="packageNames">Package names to process.</param>
+    /// <param name="snapshotId">Corpus snapshot ID.</param>
+    /// <param name="ct">Cancellation token.</param>
+    /// <returns>All fix evidence entries.</returns>
+    public async IAsyncEnumerable<FixEvidence> ExtractSecfixesBatchAsync(
+        string release,
+        string repository,
+        IEnumerable<string> packageNames,
+        Guid snapshotId,
+        [System.Runtime.CompilerServices.EnumeratorCancellation] CancellationToken ct = default)
+    {
+        foreach (var packageName in packageNames)
+        {
+            ct.ThrowIfCancellationRequested();
+
+            var results = await ExtractSecfixesAsync(release, repository, packageName, snapshotId, ct);
+            foreach (var evidence in results)
+            {
+                yield return evidence;
+            }
+        }
+    }
+}

src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Corpus.Alpine/IAlpinePackageSource.cs

@@ -0,0 +1,86 @@
+// -----------------------------------------------------------------------------
+// IAlpinePackageSource.cs
+// Sprint: SPRINT_20251226_012_BINIDX_backport_handling
+// Task: BACKPORT-16 — Create AlpineCorpusConnector for Alpine APK
+// -----------------------------------------------------------------------------
+
+namespace StellaOps.BinaryIndex.Corpus.Alpine;
+
+/// <summary>
+/// Interface for fetching Alpine packages from mirrors.
+/// </summary>
+public interface IAlpinePackageSource
+{
+    /// <summary>
+    /// Fetches the APKINDEX for the given release and architecture.
+    /// </summary>
+    /// <param name="release">Alpine release (e.g., v3.19, edge).</param>
+    /// <param name="architecture">Target architecture (e.g., x86_64, aarch64).</param>
+    /// <param name="ct">Cancellation token.</param>
+    /// <returns>Package metadata from APKINDEX.</returns>
+    Task<IReadOnlyList<AlpinePackageMetadata>> FetchPackageIndexAsync(
+        string release,
+        string architecture,
+        CancellationToken ct = default);
+
+    /// <summary>
+    /// Fetches the APKBUILD content for a source package.
+    /// </summary>
+    /// <param name="release">Alpine release.</param>
+    /// <param name="repository">Repository (main, community).</param>
+    /// <param name="packageName">Package name.</param>
+    /// <param name="ct">Cancellation token.</param>
+    /// <returns>APKBUILD file content, or null if not found.</returns>
+    Task<string?> FetchApkBuildAsync(
+        string release,
+        string repository,
+        string packageName,
+        CancellationToken ct = default);
+
+    /// <summary>
+    /// Downloads a package file.
+    /// </summary>
+    /// <param name="filename">Package filename.</param>
+    /// <param name="ct">Cancellation token.</param>
+    /// <returns>Stream containing the package.</returns>
+    Task<Stream> DownloadPackageAsync(string filename, CancellationToken ct = default);
+}
+
+/// <summary>
+/// Package metadata parsed from APKINDEX.
+/// </summary>
+public sealed record AlpinePackageMetadata
+{
+    /// <summary>Package name (P:).</summary>
+    public required string PackageName { get; init; }
+
+    /// <summary>Package version (V:).</summary>
+    public required string Version { get; init; }
+
+    /// <summary>Architecture (A:).</summary>
+    public required string Architecture { get; init; }
+
+    /// <summary>Package filename (computed from P, V, A).</summary>
+    public required string Filename { get; init; }
+
+    /// <summary>Package size (S:).</summary>
+    public long Size { get; init; }
+
+    /// <summary>Checksum (C:).</summary>
+    public required string Checksum { get; init; }
+
+    /// <summary>Origin/source package (o:).</summary>
+    public string? Origin { get; init; }
+
+    /// <summary>Maintainer (m:).</summary>
+    public string? Maintainer { get; init; }
+
+    /// <summary>Dependencies (D:).</summary>
+    public string[]? Dependencies { get; init; }
+
+    /// <summary>Provides (p:).</summary>
+    public string[]? Provides { get; init; }
+
+    /// <summary>Build timestamp (t:).</summary>
+    public DateTimeOffset? BuildTime { get; init; }
+}

src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Corpus.Alpine/StellaOps.BinaryIndex.Corpus.Alpine.csproj

@@ -0,0 +1,21 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <LangVersion>preview</LangVersion>
+    <GenerateDocumentationFile>true</GenerateDocumentationFile>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="SharpCompress" Version="0.38.0" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.0" />
+    <PackageReference Include="Microsoft.Extensions.Http" Version="10.0.0" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\StellaOps.BinaryIndex.Core\StellaOps.BinaryIndex.Core.csproj" />
+    <ProjectReference Include="..\StellaOps.BinaryIndex.Corpus\StellaOps.BinaryIndex.Corpus.csproj" />
+    <ProjectReference Include="..\StellaOps.BinaryIndex.FixIndex\StellaOps.BinaryIndex.FixIndex.csproj" />
+  </ItemGroup>
+</Project>

src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Corpus.Rpm/IRpmPackageSource.cs

@@ -0,0 +1,91 @@
+// -----------------------------------------------------------------------------
+// IRpmPackageSource.cs
+// Sprint: SPRINT_20251226_012_BINIDX_backport_handling
+// Task: BACKPORT-14 — Create RpmCorpusConnector for RHEL/Fedora/CentOS
+// -----------------------------------------------------------------------------
+
+namespace StellaOps.BinaryIndex.Corpus.Rpm;
+
+/// <summary>
+/// Interface for fetching RPM packages from mirrors.
+/// </summary>
+public interface IRpmPackageSource
+{
+    /// <summary>
+    /// Fetches the package index (primary.xml) for the given distro/release/arch.
+    /// </summary>
+    /// <param name="distro">Distribution (rhel, fedora, centos, rocky, almalinux).</param>
+    /// <param name="release">Release version (9, 39, etc.).</param>
+    /// <param name="architecture">Target architecture (x86_64, aarch64).</param>
+    /// <param name="ct">Cancellation token.</param>
+    /// <returns>Package metadata from primary.xml.</returns>
+    Task<IReadOnlyList<RpmPackageMetadata>> FetchPackageIndexAsync(
+        string distro,
+        string release,
+        string architecture,
+        CancellationToken ct = default);
+
+    /// <summary>
+    /// Fetches the spec file content from an SRPM.
+    /// </summary>
+    /// <param name="distro">Distribution.</param>
+    /// <param name="release">Release version.</param>
+    /// <param name="srpmFilename">SRPM filename.</param>
+    /// <param name="ct">Cancellation token.</param>
+    /// <returns>Spec file content, or null if not found.</returns>
+    Task<string?> FetchSpecFileAsync(
+        string distro,
+        string release,
+        string srpmFilename,
+        CancellationToken ct = default);
+
+    /// <summary>
+    /// Downloads a package file.
+    /// </summary>
+    /// <param name="filename">Package filename.</param>
+    /// <param name="ct">Cancellation token.</param>
+    /// <returns>Stream containing the package.</returns>
+    Task<Stream> DownloadPackageAsync(string filename, CancellationToken ct = default);
+}
+
+/// <summary>
+/// Package metadata parsed from primary.xml.
+/// </summary>
+public sealed record RpmPackageMetadata
+{
+    /// <summary>Package name.</summary>
+    public required string Name { get; init; }
+
+    /// <summary>Architecture.</summary>
+    public required string Arch { get; init; }
+
+    /// <summary>Epoch (0 if not specified).</summary>
+    public int Epoch { get; init; }
+
+    /// <summary>Version.</summary>
+    public required string Version { get; init; }
+
+    /// <summary>Release.</summary>
+    public required string Release { get; init; }
+
+    /// <summary>Package filename.</summary>
+    public required string Filename { get; init; }
+
+    /// <summary>Package size.</summary>
+    public long Size { get; init; }
+
+    /// <summary>SHA-256 checksum.</summary>
+    public required string Checksum { get; init; }
+
+    /// <summary>Source RPM filename.</summary>
+    public string? SourceRpm { get; init; }
+
+    /// <summary>Package summary.</summary>
+    public string? Summary { get; init; }
+
+    /// <summary>Package description.</summary>
+    public string? Description { get; init; }
+
+    /// <summary>Build timestamp.</summary>
+    public DateTimeOffset? BuildTime { get; init; }
+}

src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Corpus.Rpm/RpmCorpusConnector.cs

@@ -0,0 +1,156 @@
+// -----------------------------------------------------------------------------
+// RpmCorpusConnector.cs
+// Sprint: SPRINT_20251226_012_BINIDX_backport_handling
+// Task: BACKPORT-14 — Create RpmCorpusConnector for RHEL/Fedora/CentOS
+// -----------------------------------------------------------------------------
+
+using System.Runtime.CompilerServices;
+using Microsoft.Extensions.Logging;
+using StellaOps.BinaryIndex.Core.Models;
+using StellaOps.BinaryIndex.Core.Services;
+using StellaOps.BinaryIndex.Corpus;
+
+namespace StellaOps.BinaryIndex.Corpus.Rpm;
+
+/// <summary>
+/// RPM-based corpus connector for RHEL, Fedora, CentOS, Rocky, AlmaLinux.
+/// </summary>
+public sealed class RpmCorpusConnector : IBinaryCorpusConnector
+{
+    private readonly IRpmPackageSource _packageSource;
+    private readonly RpmPackageExtractor _extractor;
+    private readonly IBinaryFeatureExtractor _featureExtractor;
+    private readonly ICorpusSnapshotRepository _snapshotRepo;
+    private readonly ILogger<RpmCorpusConnector> _logger;
+
+    public string ConnectorId => "rpm";
+    public string[] SupportedDistros => ["rhel", "fedora", "centos", "rocky", "almalinux"];
+
+    public RpmCorpusConnector(
+        IRpmPackageSource packageSource,
+        RpmPackageExtractor extractor,
+        IBinaryFeatureExtractor featureExtractor,
+        ICorpusSnapshotRepository snapshotRepo,
+        ILogger<RpmCorpusConnector> logger)
+    {
+        _packageSource = packageSource;
+        _extractor = extractor;
+        _featureExtractor = featureExtractor;
+        _snapshotRepo = snapshotRepo;
+        _logger = logger;
+    }
+
+    public async Task<CorpusSnapshot> FetchSnapshotAsync(CorpusQuery query, CancellationToken ct = default)
+    {
+        _logger.LogInformation(
+            "Fetching RPM corpus snapshot for {Distro} {Release}/{Architecture}",
+            query.Distro, query.Release, query.Architecture);
+
+        // Check if we already have a snapshot for this query
+        var existing = await _snapshotRepo.FindByKeyAsync(
+            query.Distro,
+            query.Release,
+            query.Architecture,
+            ct);
+
+        if (existing != null)
+        {
+            _logger.LogInformation("Using existing snapshot {SnapshotId}", existing.Id);
+            return existing;
+        }
+
+        // Fetch repodata/primary.xml to compute metadata digest
+        var packages = await _packageSource.FetchPackageIndexAsync(
+            query.Distro,
+            query.Release,
+            query.Architecture,
+            ct);
+
+        var packageList = packages.ToList();
+        var metadataDigest = ComputeMetadataDigest(packageList);
+
+        var snapshot = new CorpusSnapshot(
+            Id: Guid.NewGuid(),
+            Distro: query.Distro,
+            Release: query.Release,
+            Architecture: query.Architecture,
+            MetadataDigest: metadataDigest,
+            CapturedAt: DateTimeOffset.UtcNow);
+
+        await _snapshotRepo.CreateAsync(snapshot, ct);
+
+        _logger.LogInformation(
+            "Created RPM corpus snapshot {SnapshotId} with {PackageCount} packages",
+            snapshot.Id, packageList.Count);
+
+        return snapshot;
+    }
+
+    public async IAsyncEnumerable<PackageInfo> ListPackagesAsync(
+        CorpusSnapshot snapshot,
+        [EnumeratorCancellation] CancellationToken ct = default)
+    {
+        _logger.LogDebug("Listing packages for snapshot {SnapshotId}", snapshot.Id);
+
+        var packages = await _packageSource.FetchPackageIndexAsync(
+            snapshot.Distro,
+            snapshot.Release,
+            snapshot.Architecture,
+            ct);
+
+        foreach (var pkg in packages)
+        {
+            yield return new PackageInfo(
+                Name: pkg.Name,
+                Version: $"{pkg.Version}-{pkg.Release}",
+                SourcePackage: pkg.SourceRpm ?? pkg.Name,
+                Architecture: pkg.Arch,
+                Filename: pkg.Filename,
+                Size: pkg.Size,
+                Sha256: pkg.Checksum);
+        }
+    }
+
+    public async IAsyncEnumerable<ExtractedBinary> ExtractBinariesAsync(
+        PackageInfo pkg,
+        [EnumeratorCancellation] CancellationToken ct = default)
+    {
+        _logger.LogDebug("Extracting binaries from RPM {Package} {Version}", pkg.Name, pkg.Version);
+
+        Stream? rpmStream = null;
+        try
+        {
+            // Download the .rpm package
+            rpmStream = await _packageSource.DownloadPackageAsync(pkg.Filename, ct);
+
+            // Extract binaries using RpmPackageExtractor
+            var extractedBinaries = await _extractor.ExtractBinariesAsync(rpmStream, pkg, ct);
+
+            foreach (var binary in extractedBinaries)
+            {
+                yield return new ExtractedBinary(
+                    Identity: binary.Identity,
+                    PathInPackage: binary.FilePath,
+                    Package: pkg);
+            }
+        }
+        finally
+        {
+            if (rpmStream != null)
+            {
+                await rpmStream.DisposeAsync();
+            }
+        }
+    }
+
+    private static string ComputeMetadataDigest(IEnumerable<RpmPackageMetadata> packages)
+    {
+        var combined = string.Join("|", packages
+            .OrderBy(p => p.Name)
+            .Select(p => $"{p.Name}:{p.Epoch}:{p.Version}-{p.Release}:{p.Checksum}"));
+
+        using var sha256 = System.Security.Cryptography.SHA256.Create();
+        var hash = sha256.ComputeHash(System.Text.Encoding.UTF8.GetBytes(combined));
+        return Convert.ToHexString(hash).ToLowerInvariant();
+    }
+}

src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Corpus.Rpm/RpmPackageExtractor.cs

@@ -0,0 +1,203 @@
+// -----------------------------------------------------------------------------
+// RpmPackageExtractor.cs
+// Sprint: SPRINT_20251226_012_BINIDX_backport_handling
+// Task: BACKPORT-14 — Create RpmCorpusConnector for RHEL/Fedora/CentOS
+// -----------------------------------------------------------------------------
+
+using Microsoft.Extensions.Logging;
+using SharpCompress.Archives;
+using SharpCompress.Compressors.Xz;
+using SharpCompress.Readers.Cpio;
+using StellaOps.BinaryIndex.Core.Models;
+using StellaOps.BinaryIndex.Core.Services;
+using StellaOps.BinaryIndex.Corpus;
+
+namespace StellaOps.BinaryIndex.Corpus.Rpm;
+
+/// <summary>
+/// Extracts binaries from RPM packages.
+/// </summary>
+public sealed class RpmPackageExtractor
+{
+    private readonly IBinaryFeatureExtractor _featureExtractor;
+    private readonly ILogger<RpmPackageExtractor> _logger;
+
+    // ELF magic bytes
+    private static readonly byte[] ElfMagic = [0x7F, 0x45, 0x4C, 0x46];
+
+    // RPM magic bytes
+    private static readonly byte[] RpmMagic = [0xED, 0xAB, 0xEE, 0xDB];
+
+    public RpmPackageExtractor(
+        IBinaryFeatureExtractor featureExtractor,
+        ILogger<RpmPackageExtractor> logger)
+    {
+        _featureExtractor = featureExtractor;
+        _logger = logger;
+    }
+
+    /// <summary>
+    /// Extracts ELF binaries from an RPM package.
+    /// </summary>
+    /// <param name="rpmStream">Stream containing the .rpm package.</param>
+    /// <param name="pkg">Package metadata.</param>
+    /// <param name="ct">Cancellation token.</param>
+    /// <returns>Extracted binaries with identity information.</returns>
+    public async Task<IReadOnlyList<ExtractedBinaryInfo>> ExtractBinariesAsync(
+        Stream rpmStream,
+        PackageInfo pkg,
+        CancellationToken ct = default)
+    {
+        var results = new List<ExtractedBinaryInfo>();
+
+        try
+        {
+            // RPM structure: lead + signature header + header + payload (cpio.xz/cpio.gz/cpio.zstd)
+            var payloadStream = await ExtractPayloadAsync(rpmStream, ct);
+            if (payloadStream == null)
+            {
+                _logger.LogWarning("Could not extract payload from RPM {Package}", pkg.Name);
+                return results;
+            }
+
+            using var reader = CpioReader.Open(payloadStream);
+            while (reader.MoveToNextEntry())
+            {
+                ct.ThrowIfCancellationRequested();
+
+                if (reader.Entry.IsDirectory)
+                    continue;
+
+                using var entryStream = reader.OpenEntryStream();
+                using var ms = new MemoryStream();
+                await entryStream.CopyToAsync(ms, ct);
+                ms.Position = 0;
+
+                if (!IsElfBinary(ms))
+                {
+                    continue;
+                }
+
+                ms.Position = 0;
+
+                try
+                {
+                    var identity = await _featureExtractor.ExtractIdentityAsync(ms, reader.Entry.Key ?? "", ct);
+                    results.Add(new ExtractedBinaryInfo(identity, reader.Entry.Key ?? ""));
+                }
+                catch (Exception ex)
+                {
+                    _logger.LogWarning(ex, "Failed to extract identity from {File} in RPM {Package}",
+                        reader.Entry.Key, pkg.Name);
+                }
+            }
+        }
+        catch (Exception ex)
+        {
+            _logger.LogError(ex, "Failed to extract binaries from RPM package {Package}", pkg.Name);
+        }
+
+        return results;
+    }
+
+    private async Task<Stream?> ExtractPayloadAsync(Stream rpmStream, CancellationToken ct)
+    {
+        // Skip RPM lead (96 bytes)
+        var lead = new byte[96];
+        var read = await rpmStream.ReadAsync(lead.AsMemory(0, 96), ct);
+        if (read != 96 || !lead.AsSpan(0, 4).SequenceEqual(RpmMagic))
+        {
+            _logger.LogWarning("Invalid RPM lead");
+            return null;
+        }
+
+        // Skip signature header (aligned to 8 bytes)
+        var sigHeader = await SkipHeaderAsync(rpmStream, ct);
+        if (sigHeader < 0)
+        {
+            _logger.LogWarning("Failed to skip signature header");
+            return null;
+        }
+
+        // Skip main header
+        var mainHeader = await SkipHeaderAsync(rpmStream, ct);
+        if (mainHeader < 0)
+        {
+            _logger.LogWarning("Failed to skip main header");
+            return null;
+        }
+
+        // The rest is the payload (compressed cpio)
+        var payloadMs = new MemoryStream();
+        await rpmStream.CopyToAsync(payloadMs, ct);
+        payloadMs.Position = 0;
+
+        // Try to decompress (xz is most common for modern RPMs)
+        try
+        {
+            var xzStream = new XZStream(payloadMs);
+            var decompressed = new MemoryStream();
+            await xzStream.CopyToAsync(decompressed, ct);
+            decompressed.Position = 0;
+            return decompressed;
+        }
+        catch
+        {
+            // Try other compression formats or return as-is
+            payloadMs.Position = 0;
+            return payloadMs;
+        }
+    }
+
+    private static async Task<long> SkipHeaderAsync(Stream stream, CancellationToken ct)
+    {
+        // RPM header magic: 8D AD E8 01
+        var headerMagic = new byte[8];
+        var read = await stream.ReadAsync(headerMagic.AsMemory(0, 8), ct);
+        if (read != 8)
+            return -1;
+
+        // Header index entries count (4 bytes, big-endian)
+        var indexCount = (headerMagic[4] << 24) | (headerMagic[5] << 16) | (headerMagic[6] << 8) | headerMagic[7];
+
+        // Read data size (4 bytes, big-endian)
+        var dataSizeBytes = new byte[4];
+        read = await stream.ReadAsync(dataSizeBytes.AsMemory(0, 4), ct);
+        if (read != 4)
+            return -1;
+
+        var dataSize = (dataSizeBytes[0] << 24) | (dataSizeBytes[1] << 16) | (dataSizeBytes[2] << 8) | dataSizeBytes[3];
+
+        // Skip index entries (16 bytes each) and data
+        var toSkip = (indexCount * 16) + dataSize;
+
+        // Align to 8 bytes
+        var position = stream.Position + toSkip;
+        var padding = (8 - (position % 8)) % 8;
+        toSkip += (int)padding;
+
+        var buffer = new byte[toSkip];
+        read = await stream.ReadAsync(buffer.AsMemory(0, toSkip), ct);
+        if (read != toSkip)
+            return -1;
+
+        return toSkip;
+    }
+
+    private static bool IsElfBinary(Stream stream)
+    {
+        if (stream.Length < 4)
+            return false;
+
+        var buffer = new byte[4];
+        var read = stream.Read(buffer, 0, 4);
+        stream.Position = 0;
+
+        return read == 4 && buffer.AsSpan().SequenceEqual(ElfMagic);
+    }
+}
+
+/// <summary>
+/// Information about an extracted binary.
+/// </summary>
+public sealed record ExtractedBinaryInfo(BinaryIdentity Identity, string FilePath);

src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Corpus.Rpm/StellaOps.BinaryIndex.Corpus.Rpm.csproj

@@ -0,0 +1,21 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <LangVersion>preview</LangVersion>
+    <GenerateDocumentationFile>true</GenerateDocumentationFile>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="SharpCompress" Version="0.38.0" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.0" />
+    <PackageReference Include="Microsoft.Extensions.Http" Version="10.0.0" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\StellaOps.BinaryIndex.Core\StellaOps.BinaryIndex.Core.csproj" />
+    <ProjectReference Include="..\StellaOps.BinaryIndex.Corpus\StellaOps.BinaryIndex.Corpus.csproj" />
+    <ProjectReference Include="..\StellaOps.BinaryIndex.FixIndex\StellaOps.BinaryIndex.FixIndex.csproj" />
+  </ItemGroup>
+</Project>

src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.FixIndex/Parsers/RpmChangelogParser.cs

@@ -0,0 +1,224 @@
+using System.Text.RegularExpressions;
+using StellaOps.BinaryIndex.FixIndex.Models;
+
+namespace StellaOps.BinaryIndex.FixIndex.Parsers;
+
+/// <summary>
+/// Parses RPM spec file changelog sections for CVE mentions.
+/// </summary>
+/// <remarks>
+/// RPM changelog format:
+/// %changelog
+/// * Mon Jan 01 2024 Packager &lt;email&gt; - 1.2.3-4
+/// - Fix CVE-2024-1234
+/// </remarks>
+public sealed partial class RpmChangelogParser : IChangelogParser
+{
+    [GeneratedRegex(@"\bCVE-\d{4}-\d{4,7}\b", RegexOptions.Compiled)]
+    private static partial Regex CvePatternRegex();
+
+    [GeneratedRegex(@"^\*\s+\w{3}\s+\w{3}\s+\d{1,2}\s+\d{4}\s+(.+?)\s+-\s+(\S+)", RegexOptions.Compiled)]
+    private static partial Regex EntryHeaderPatternRegex();
+
+    [GeneratedRegex(@"^%changelog\s*$", RegexOptions.Compiled | RegexOptions.IgnoreCase)]
+    private static partial Regex ChangelogStartPatternRegex();
+
+    [GeneratedRegex(@"^%\w+", RegexOptions.Compiled)]
+    private static partial Regex SectionStartPatternRegex();
+
+    /// <summary>
+    /// Parses the top entry of an RPM spec changelog for CVE mentions.
+    /// </summary>
+    public IEnumerable<FixEvidence> ParseTopEntry(
+        string specContent,
+        string distro,
+        string release,
+        string sourcePkg)
+    {
+        if (string.IsNullOrWhiteSpace(specContent))
+            yield break;
+
+        var lines = specContent.Split('\n');
+        var inChangelog = false;
+        var inFirstEntry = false;
+        string? currentVersion = null;
+        var entryLines = new List<string>();
+
+        foreach (var line in lines)
+        {
+            // Detect %changelog start
+            if (ChangelogStartPatternRegex().IsMatch(line))
+            {
+                inChangelog = true;
+                continue;
+            }
+
+            if (!inChangelog)
+                continue;
+
+            // Exit on new section (e.g., %files, %prep)
+            if (SectionStartPatternRegex().IsMatch(line) && !ChangelogStartPatternRegex().IsMatch(line))
+                break;
+
+            // Detect entry header: * Day Mon DD YYYY Author <email> - version
+            var headerMatch = EntryHeaderPatternRegex().Match(line);
+            if (headerMatch.Success)
+            {
+                if (inFirstEntry)
+                {
+                    // We've hit the second entry, stop processing
+                    break;
+                }
+
+                inFirstEntry = true;
+                currentVersion = headerMatch.Groups[2].Value;
+                entryLines.Add(line);
+                continue;
+            }
+
+            if (inFirstEntry)
+            {
+                entryLines.Add(line);
+            }
+        }
+
+        if (currentVersion == null || entryLines.Count == 0)
+            yield break;
+
+        var entryText = string.Join('\n', entryLines);
+        var cves = CvePatternRegex().Matches(entryText)
+            .Select(m => m.Value)
+            .Distinct()
+            .ToList();
+
+        foreach (var cve in cves)
+        {
+            yield return new FixEvidence
+            {
+                Distro = distro,
+                Release = release,
+                SourcePkg = sourcePkg,
+                CveId = cve,
+                State = FixState.Fixed,
+                FixedVersion = currentVersion,
+                Method = FixMethod.Changelog,
+                Confidence = 0.75m, // RPM changelogs are less structured than Debian
+                Evidence = new ChangelogEvidence
+                {
+                    File = "*.spec",
+                    Version = currentVersion,
+                    Excerpt = entryText.Length > 2000 ? entryText[..2000] : entryText,
+                    LineNumber = null
+                },
+                CreatedAt = DateTimeOffset.UtcNow
+            };
+        }
+    }
+
+    /// <summary>
+    /// Parses the full RPM spec changelog for all CVE mentions with their versions.
+    /// </summary>
+    public IEnumerable<FixEvidence> ParseAllEntries(
+        string specContent,
+        string distro,
+        string release,
+        string sourcePkg)
+    {
+        if (string.IsNullOrWhiteSpace(specContent))
+            yield break;
+
+        var lines = specContent.Split('\n');
+        var inChangelog = false;
+        string? currentVersion = null;
+        var currentEntry = new List<string>();
+
+        foreach (var line in lines)
+        {
+            // Detect %changelog start
+            if (ChangelogStartPatternRegex().IsMatch(line))
+            {
+                inChangelog = true;
+                continue;
+            }
+
+            if (!inChangelog)
+                continue;
+
+            // Exit on new section
+            if (SectionStartPatternRegex().IsMatch(line) && !ChangelogStartPatternRegex().IsMatch(line))
+            {
+                // Process last entry
+                if (currentVersion != null && currentEntry.Count > 0)
+                {
+                    foreach (var fix in ExtractCvesFromEntry(currentEntry, currentVersion, distro, release, sourcePkg))
+                        yield return fix;
+                }
+                break;
+            }
+
+            // Detect entry header
+            var headerMatch = EntryHeaderPatternRegex().Match(line);
+            if (headerMatch.Success)
+            {
+                // Process previous entry
+                if (currentVersion != null && currentEntry.Count > 0)
+                {
+                    foreach (var fix in ExtractCvesFromEntry(currentEntry, currentVersion, distro, release, sourcePkg))
+                        yield return fix;
+                }
+
+                currentVersion = headerMatch.Groups[2].Value;
+                currentEntry = [line];
+                continue;
+            }
+
+            if (currentVersion != null)
+            {
+                currentEntry.Add(line);
+            }
+        }
+
+        // Process final entry if exists
+        if (currentVersion != null && currentEntry.Count > 0)
+        {
+            foreach (var fix in ExtractCvesFromEntry(currentEntry, currentVersion, distro, release, sourcePkg))
+                yield return fix;
+        }
+    }
+
+    private IEnumerable<FixEvidence> ExtractCvesFromEntry(
+        List<string> entryLines,
+        string version,
+        string distro,
+        string release,
+        string sourcePkg)
+    {
+        var entryText = string.Join('\n', entryLines);
+        var cves = CvePatternRegex().Matches(entryText)
+            .Select(m => m.Value)
+            .Distinct();
+
+        foreach (var cve in cves)
+        {
+            yield return new FixEvidence
+            {
+                Distro = distro,
+                Release = release,
+                SourcePkg = sourcePkg,
+                CveId = cve,
+                State = FixState.Fixed,
+                FixedVersion = version,
+                Method = FixMethod.Changelog,
+                Confidence = 0.75m,
+                Evidence = new ChangelogEvidence
+                {
+                    File = "*.spec",
+                    Version = version,
+                    Excerpt = entryText.Length > 2000 ? entryText[..2000] : entryText,
+                    LineNumber = null
+                },
+                CreatedAt = DateTimeOffset.UtcNow
+            };
+        }
+    }
+}

src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.FixIndex/Repositories/IFixIndexRepository.cs

@@ -0,0 +1,111 @@
+using StellaOps.BinaryIndex.FixIndex.Models;
+
+namespace StellaOps.BinaryIndex.FixIndex.Repositories;
+
+/// <summary>
+/// Repository interface for CVE fix index operations.
+/// </summary>
+public interface IFixIndexRepository
+{
+    /// <summary>
+    /// Gets the fix status for a specific CVE/package/distro combination.
+    /// </summary>
+    /// <param name="distro">Distribution (debian, ubuntu, alpine, rhel)</param>
+    /// <param name="release">Release codename (bookworm, jammy, v3.19)</param>
+    /// <param name="sourcePkg">Source package name</param>
+    /// <param name="cveId">CVE identifier</param>
+    /// <param name="cancellationToken">Cancellation token</param>
+    /// <returns>Fix status if found, null otherwise</returns>
+    Task<FixIndexEntry?> GetFixStatusAsync(
+        string distro,
+        string release,
+        string sourcePkg,
+        string cveId,
+        CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Gets all fix statuses for a package.
+    /// </summary>
+    Task<IReadOnlyList<FixIndexEntry>> GetFixStatusesForPackageAsync(
+        string distro,
+        string release,
+        string sourcePkg,
+        CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Gets all known fix locations for a CVE across distros.
+    /// </summary>
+    Task<IReadOnlyList<FixIndexEntry>> GetFixLocationsForCveAsync(
+        string cveId,
+        CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Upserts a fix index entry.
+    /// </summary>
+    Task<FixIndexEntry> UpsertAsync(
+        FixEvidence evidence,
+        CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Batch upserts fix index entries.
+    /// </summary>
+    Task<int> UpsertBatchAsync(
+        IEnumerable<FixEvidence> evidenceList,
+        CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Stores fix evidence for audit trail.
+    /// </summary>
+    Task<Guid> StoreEvidenceAsync(
+        FixEvidence evidence,
+        CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Gets evidence by ID.
+    /// </summary>
+    Task<FixEvidenceRecord?> GetEvidenceAsync(
+        Guid evidenceId,
+        CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Deletes all entries from a specific snapshot (for re-ingestion).
+    /// </summary>
+    Task<int> DeleteBySnapshotAsync(
+        Guid snapshotId,
+        CancellationToken cancellationToken = default);
+}
+
+/// <summary>
+/// Fix index entry from the database.
+/// </summary>
+public sealed record FixIndexEntry
+{
+    public required Guid Id { get; init; }
+    public required string Distro { get; init; }
+    public required string Release { get; init; }
+    public required string SourcePkg { get; init; }
+    public required string CveId { get; init; }
+    public required FixState State { get; init; }
+    public string? FixedVersion { get; init; }
+    public required FixMethod Method { get; init; }
+    public required decimal Confidence { get; init; }
+    public Guid? EvidenceId { get; init; }
+    public Guid? SnapshotId { get; init; }
+    public required DateTimeOffset IndexedAt { get; init; }
+    public required DateTimeOffset UpdatedAt { get; init; }
+}
+
+/// <summary>
+/// Fix evidence record from the database.
+/// </summary>
+public sealed record FixEvidenceRecord
+{
+    public required Guid Id { get; init; }
+    public required string EvidenceType { get; init; }
+    public string? SourceFile { get; init; }
+    public string? SourceSha256 { get; init; }
+    public string? Excerpt { get; init; }
+    public required string MetadataJson { get; init; }
+    public Guid? SnapshotId { get; init; }
+    public required DateTimeOffset CreatedAt { get; init; }
+}

src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.FixIndex/Services/FixIndexBuilder.cs

@@ -0,0 +1,127 @@
+using System.Runtime.CompilerServices;
+using Microsoft.Extensions.Logging;
+using StellaOps.BinaryIndex.FixIndex.Models;
+using StellaOps.BinaryIndex.FixIndex.Parsers;
+
+namespace StellaOps.BinaryIndex.FixIndex.Services;
+
+/// <summary>
+/// Default implementation of <see cref="IFixIndexBuilder"/>.
+/// </summary>
+public sealed class FixIndexBuilder : IFixIndexBuilder
+{
+    private readonly ILogger<FixIndexBuilder> _logger;
+    private readonly DebianChangelogParser _debianParser;
+    private readonly PatchHeaderParser _patchParser;
+    private readonly AlpineSecfixesParser _alpineParser;
+    private readonly RpmChangelogParser _rpmParser;
+
+    public FixIndexBuilder(ILogger<FixIndexBuilder> logger)
+    {
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        _debianParser = new DebianChangelogParser();
+        _patchParser = new PatchHeaderParser();
+        _alpineParser = new AlpineSecfixesParser();
+        _rpmParser = new RpmChangelogParser();
+    }
+
+    /// <inheritdoc />
+    public async IAsyncEnumerable<FixEvidence> BuildDebianIndexAsync(
+        DebianFixIndexRequest request,
+        [EnumeratorCancellation] CancellationToken cancellationToken = default)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        _logger.LogDebug(
+            "Building Debian fix index for {Distro}/{Release}/{Package}",
+            request.Distro, request.Release, request.SourcePkg);
+
+        var cvesSeen = new HashSet<string>();
+
+        // Parse changelog for CVE mentions
+        if (!string.IsNullOrWhiteSpace(request.Changelog))
+        {
+            foreach (var evidence in _debianParser.ParseTopEntry(
+                request.Changelog,
+                request.Distro,
+                request.Release,
+                request.SourcePkg))
+            {
+                if (cvesSeen.Add(evidence.CveId))
+                {
+                    yield return evidence with { SnapshotId = request.SnapshotId };
+                }
+            }
+        }
+
+        // Parse patches for CVE mentions (DEP-3 format)
+        if (request.Patches != null && request.Patches.Count > 0 && !string.IsNullOrEmpty(request.Version))
+        {
+            var patchTuples = request.Patches
+                .Select(p => (p.Path, p.Content, p.Sha256));
+
+            foreach (var evidence in _patchParser.ParsePatches(
+                patchTuples,
+                request.Distro,
+                request.Release,
+                request.SourcePkg,
+                request.Version))
+            {
+                // Patches have higher confidence, so they can override changelog entries
+                if (cvesSeen.Add(evidence.CveId) || evidence.Confidence > 0.85m)
+                {
+                    yield return evidence with { SnapshotId = request.SnapshotId };
+                }
+            }
+        }
+
+        await Task.CompletedTask; // Satisfy async requirement
+    }
+
+    /// <inheritdoc />
+    public async IAsyncEnumerable<FixEvidence> BuildAlpineIndexAsync(
+        AlpineFixIndexRequest request,
+        [EnumeratorCancellation] CancellationToken cancellationToken = default)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        _logger.LogDebug(
+            "Building Alpine fix index for {Release}/{Package}",
+            request.Release, request.SourcePkg);
+
+        foreach (var evidence in _alpineParser.Parse(
+            request.ApkBuild,
+            request.Distro,
+            request.Release,
+            request.SourcePkg))
+        {
+            yield return evidence with { SnapshotId = request.SnapshotId };
+        }
+
+        await Task.CompletedTask;
+    }
+
+    /// <inheritdoc />
+    public async IAsyncEnumerable<FixEvidence> BuildRpmIndexAsync(
+        RpmFixIndexRequest request,
+        [EnumeratorCancellation] CancellationToken cancellationToken = default)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        _logger.LogDebug(
+            "Building RPM fix index for {Distro}/{Release}/{Package}",
+            request.Distro, request.Release, request.SourcePkg);
+
+        // Parse spec file changelog
+        foreach (var evidence in _rpmParser.ParseAllEntries(
+            request.SpecContent,
+            request.Distro,
+            request.Release,
+            request.SourcePkg))
+        {
+            yield return evidence with { SnapshotId = request.SnapshotId };
+        }
+
+        await Task.CompletedTask;
+    }
+}

src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.FixIndex/Services/IFixIndexBuilder.cs

@@ -0,0 +1,123 @@
+using StellaOps.BinaryIndex.FixIndex.Models;
+
+namespace StellaOps.BinaryIndex.FixIndex.Services;
+
+/// <summary>
+/// Interface for building the CVE fix index from various sources.
+/// </summary>
+public interface IFixIndexBuilder
+{
+    /// <summary>
+    /// Builds fix index entries for a Debian/Ubuntu package.
+    /// </summary>
+    /// <param name="request">The Debian build request.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    /// <returns>Fix evidence entries.</returns>
+    IAsyncEnumerable<FixEvidence> BuildDebianIndexAsync(
+        DebianFixIndexRequest request,
+        CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Builds fix index entries for an Alpine package.
+    /// </summary>
+    /// <param name="request">The Alpine build request.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    /// <returns>Fix evidence entries.</returns>
+    IAsyncEnumerable<FixEvidence> BuildAlpineIndexAsync(
+        AlpineFixIndexRequest request,
+        CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Builds fix index entries for an RPM package.
+    /// </summary>
+    /// <param name="request">The RPM build request.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    /// <returns>Fix evidence entries.</returns>
+    IAsyncEnumerable<FixEvidence> BuildRpmIndexAsync(
+        RpmFixIndexRequest request,
+        CancellationToken cancellationToken = default);
+}
+
+/// <summary>
+/// Request for building Debian fix index.
+/// </summary>
+public sealed record DebianFixIndexRequest
+{
+    /// <summary>Distribution (debian or ubuntu).</summary>
+    public required string Distro { get; init; }
+
+    /// <summary>Release codename (bookworm, jammy).</summary>
+    public required string Release { get; init; }
+
+    /// <summary>Source package name.</summary>
+    public required string SourcePkg { get; init; }
+
+    /// <summary>Changelog content.</summary>
+    public string? Changelog { get; init; }
+
+    /// <summary>Patches with path, content, and SHA-256.</summary>
+    public IReadOnlyList<PatchFile>? Patches { get; init; }
+
+    /// <summary>Package version for patch association.</summary>
+    public string? Version { get; init; }
+
+    /// <summary>Corpus snapshot ID.</summary>
+    public Guid? SnapshotId { get; init; }
+}
+
+/// <summary>
+/// Request for building Alpine fix index.
+/// </summary>
+public sealed record AlpineFixIndexRequest
+{
+    /// <summary>Distribution (always "alpine").</summary>
+    public string Distro => "alpine";
+
+    /// <summary>Release (v3.19, edge).</summary>
+    public required string Release { get; init; }
+
+    /// <summary>Source package name.</summary>
+    public required string SourcePkg { get; init; }
+
+    /// <summary>APKBUILD file content.</summary>
+    public required string ApkBuild { get; init; }
+
+    /// <summary>Corpus snapshot ID.</summary>
+    public Guid? SnapshotId { get; init; }
+}
+
+/// <summary>
+/// Request for building RPM fix index.
+/// </summary>
+public sealed record RpmFixIndexRequest
+{
+    /// <summary>Distribution (rhel, fedora, centos, rocky, alma).</summary>
+    public required string Distro { get; init; }
+
+    /// <summary>Release version (9, 39, etc.).</summary>
+    public required string Release { get; init; }
+
+    /// <summary>Source package name.</summary>
+    public required string SourcePkg { get; init; }
+
+    /// <summary>Spec file content.</summary>
+    public required string SpecContent { get; init; }
+
+    /// <summary>Corpus snapshot ID.</summary>
+    public Guid? SnapshotId { get; init; }
+}
+
+/// <summary>
+/// Represents a patch file with content.
+/// </summary>
+public sealed record PatchFile
+{
+    /// <summary>Relative path to the patch file.</summary>
+    public required string Path { get; init; }
+
+    /// <summary>Content of the patch file.</summary>
+    public required string Content { get; init; }
+
+    /// <summary>SHA-256 hash of the patch content.</summary>
+    public required string Sha256 { get; init; }
+}

src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Persistence/Migrations/003_create_fix_index_tables.sql

@@ -0,0 +1,178 @@
+-- =============================================================================
+-- 003_create_fix_index_tables.sql
+-- Sprint: SPRINT_20251226_012_BINIDX_backport_handling
+-- Tasks: BACKPORT-01, BACKPORT-02
+-- Description: Creates CVE fix index tables for patch-aware backport handling
+-- =============================================================================
+
+-- -----------------------------------------------------------------------------
+-- fix_evidence: Audit trail for how fix status was determined
+-- -----------------------------------------------------------------------------
+CREATE TABLE IF NOT EXISTS binaries.fix_evidence (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    tenant_id TEXT NOT NULL DEFAULT binaries_app.require_current_tenant(),
+
+    -- Evidence type: changelog, patch_header, security_feed, upstream_match
+    evidence_type TEXT NOT NULL,
+
+    -- Source file (e.g., "debian/changelog", "alpine/APKBUILD", "openssl.spec")
+    source_file TEXT,
+
+    -- SHA-256 of source file for integrity
+    source_sha256 TEXT,
+
+    -- Truncated excerpt of relevant content (max 2KB)
+    excerpt TEXT,
+
+    -- Structured metadata as JSONB for type-specific fields
+    metadata JSONB NOT NULL DEFAULT '{}',
+
+    -- Corpus snapshot this evidence came from
+    snapshot_id UUID,
+
+    -- Timestamps
+    created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+
+    CONSTRAINT fix_evidence_type_check CHECK (evidence_type IN (
+        'changelog', 'patch_header', 'security_feed', 'upstream_match'
+    ))
+);
+
+-- Enable RLS
+ALTER TABLE binaries.fix_evidence ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY tenant_isolation ON binaries.fix_evidence
+    USING (tenant_id = binaries_app.require_current_tenant());
+
+-- Index for snapshot cleanup
+CREATE INDEX IF NOT EXISTS idx_fix_evidence_snapshot
+    ON binaries.fix_evidence (tenant_id, snapshot_id);
+
+-- -----------------------------------------------------------------------------
+-- cve_fix_index: Patch-aware CVE fix status per distro/release/package
+-- -----------------------------------------------------------------------------
+CREATE TABLE IF NOT EXISTS binaries.cve_fix_index (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    tenant_id TEXT NOT NULL DEFAULT binaries_app.require_current_tenant(),
+
+    -- Distribution coordinates
+    distro TEXT NOT NULL,                  -- debian, ubuntu, alpine, rhel, fedora, centos
+    release TEXT NOT NULL,                 -- bookworm, jammy, v3.19, 9
+    source_pkg TEXT NOT NULL,              -- Source package name
+
+    -- CVE identification
+    cve_id TEXT NOT NULL,                  -- CVE-YYYY-NNNN
+
+    -- Fix status
+    state TEXT NOT NULL,                   -- fixed, vulnerable, not_affected, wontfix, unknown
+    fixed_version TEXT,                    -- Distro version string where fix was applied
+
+    -- How this status was determined
+    method TEXT NOT NULL,                  -- security_feed, changelog, patch_header, upstream_match
+
+    -- Confidence score (0.00-1.00)
+    -- security_feed: 0.99, patch_header: 0.90, changelog: 0.80, upstream_match: 0.85
+    confidence DECIMAL(3,2) NOT NULL,
+
+    -- Reference to evidence audit trail
+    evidence_id UUID REFERENCES binaries.fix_evidence(id),
+
+    -- Corpus snapshot this came from
+    snapshot_id UUID,
+
+    -- Timestamps
+    indexed_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+
+    -- Unique per distro/release/package/cve
+    CONSTRAINT cve_fix_index_unique UNIQUE (tenant_id, distro, release, source_pkg, cve_id),
+
+    -- State validation
+    CONSTRAINT cve_fix_state_check CHECK (state IN (
+        'fixed', 'vulnerable', 'not_affected', 'wontfix', 'unknown'
+    )),
+
+    -- Method validation
+    CONSTRAINT cve_fix_method_check CHECK (method IN (
+        'security_feed', 'changelog', 'patch_header', 'upstream_match'
+    )),
+
+    -- Confidence range validation
+    CONSTRAINT cve_fix_confidence_check CHECK (confidence >= 0.00 AND confidence <= 1.00)
+);
+
+-- Enable RLS
+ALTER TABLE binaries.cve_fix_index ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY tenant_isolation ON binaries.cve_fix_index
+    USING (tenant_id = binaries_app.require_current_tenant());
+
+-- Primary lookup index: distro/release/package/cve
+CREATE INDEX IF NOT EXISTS idx_cve_fix_lookup
+    ON binaries.cve_fix_index (tenant_id, distro, release, source_pkg, cve_id);
+
+-- Index for CVE-centric queries (e.g., "where is CVE-X fixed?")
+CREATE INDEX IF NOT EXISTS idx_cve_fix_by_cve
+    ON binaries.cve_fix_index (tenant_id, cve_id, distro, release);
+
+-- Index for version-based queries
+CREATE INDEX IF NOT EXISTS idx_cve_fix_by_version
+    ON binaries.cve_fix_index (tenant_id, distro, release, source_pkg, fixed_version);
+
+-- Index for snapshot cleanup
+CREATE INDEX IF NOT EXISTS idx_cve_fix_snapshot
+    ON binaries.cve_fix_index (tenant_id, snapshot_id);
+
+-- Index for state filtering
+CREATE INDEX IF NOT EXISTS idx_cve_fix_by_state
+    ON binaries.cve_fix_index (tenant_id, distro, release, state);
+
+-- -----------------------------------------------------------------------------
+-- fix_index_priority: Resolution priority when multiple sources conflict
+-- Higher priority sources override lower priority sources
+-- -----------------------------------------------------------------------------
+CREATE TABLE IF NOT EXISTS binaries.fix_index_priority (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    tenant_id TEXT NOT NULL DEFAULT binaries_app.require_current_tenant(),
+
+    -- Priority order (lower number = higher priority)
+    priority INTEGER NOT NULL,
+
+    -- Method type
+    method TEXT NOT NULL,
+
+    -- Description
+    description TEXT,
+
+    -- Active flag
+    is_active BOOLEAN NOT NULL DEFAULT true,
+
+    CONSTRAINT fix_index_priority_unique UNIQUE (tenant_id, method)
+);
+
+-- Enable RLS
+ALTER TABLE binaries.fix_index_priority ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY tenant_isolation ON binaries.fix_index_priority
+    USING (tenant_id = binaries_app.require_current_tenant());
+
+-- -----------------------------------------------------------------------------
+-- Insert default priorities
+-- Security feeds are authoritative and override other sources
+-- -----------------------------------------------------------------------------
+-- Note: Default priorities will be inserted per-tenant on first use
+
+-- -----------------------------------------------------------------------------
+-- Comments for documentation
+-- -----------------------------------------------------------------------------
+COMMENT ON TABLE binaries.fix_evidence IS
+    'Audit trail for CVE fix determinations, storing excerpts and metadata for traceability';
+
+COMMENT ON TABLE binaries.cve_fix_index IS
+    'Patch-aware CVE fix index enabling accurate vulnerability status despite version pinning';
+
+COMMENT ON COLUMN binaries.cve_fix_index.confidence IS
+    'Confidence score: security_feed=0.99, patch_header=0.90, changelog=0.80, upstream_match=0.85';
+
+COMMENT ON COLUMN binaries.cve_fix_index.method IS
+    'How fix status was determined: security_feed (OVAL/DSA), changelog, patch_header (DEP-3), upstream_match';

src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Persistence/Repositories/FixIndexRepository.cs

@@ -0,0 +1,321 @@
+using System.Text.Json;
+using Npgsql;
+using NpgsqlTypes;
+using StellaOps.BinaryIndex.FixIndex.Models;
+using StellaOps.BinaryIndex.FixIndex.Repositories;
+
+namespace StellaOps.BinaryIndex.Persistence.Repositories;
+
+/// <summary>
+/// PostgreSQL implementation of <see cref="IFixIndexRepository"/>.
+/// </summary>
+public sealed class FixIndexRepository : IFixIndexRepository
+{
+    private readonly BinaryIndexDataSource _dataSource;
+
+    private static readonly JsonSerializerOptions JsonOptions = new(JsonSerializerDefaults.Web)
+    {
+        PropertyNamingPolicy = JsonNamingPolicy.CamelCase
+    };
+
+    public FixIndexRepository(BinaryIndexDataSource dataSource)
+    {
+        _dataSource = dataSource ?? throw new ArgumentNullException(nameof(dataSource));
+    }
+
+    /// <inheritdoc />
+    public async Task<FixIndexEntry?> GetFixStatusAsync(
+        string distro,
+        string release,
+        string sourcePkg,
+        string cveId,
+        CancellationToken cancellationToken = default)
+    {
+        const string sql = """
+            SELECT id, distro, release, source_pkg, cve_id, state, fixed_version,
+                   method, confidence, evidence_id, snapshot_id, indexed_at, updated_at
+            FROM binaries.cve_fix_index
+            WHERE distro = @distro AND release = @release
+                  AND source_pkg = @sourcePkg AND cve_id = @cveId
+            """;
+
+        await using var conn = await _dataSource.OpenConnectionAsync(cancellationToken);
+        await using var cmd = new NpgsqlCommand(sql, conn);
+        cmd.Parameters.AddWithValue("distro", distro);
+        cmd.Parameters.AddWithValue("release", release);
+        cmd.Parameters.AddWithValue("sourcePkg", sourcePkg);
+        cmd.Parameters.AddWithValue("cveId", cveId);
+
+        await using var reader = await cmd.ExecuteReaderAsync(cancellationToken);
+        if (await reader.ReadAsync(cancellationToken))
+        {
+            return MapToFixIndexEntry(reader);
+        }
+
+        return null;
+    }
+
+    /// <inheritdoc />
+    public async Task<IReadOnlyList<FixIndexEntry>> GetFixStatusesForPackageAsync(
+        string distro,
+        string release,
+        string sourcePkg,
+        CancellationToken cancellationToken = default)
+    {
+        const string sql = """
+            SELECT id, distro, release, source_pkg, cve_id, state, fixed_version,
+                   method, confidence, evidence_id, snapshot_id, indexed_at, updated_at
+            FROM binaries.cve_fix_index
+            WHERE distro = @distro AND release = @release AND source_pkg = @sourcePkg
+            ORDER BY cve_id
+            """;
+
+        await using var conn = await _dataSource.OpenConnectionAsync(cancellationToken);
+        await using var cmd = new NpgsqlCommand(sql, conn);
+        cmd.Parameters.AddWithValue("distro", distro);
+        cmd.Parameters.AddWithValue("release", release);
+        cmd.Parameters.AddWithValue("sourcePkg", sourcePkg);
+
+        var results = new List<FixIndexEntry>();
+        await using var reader = await cmd.ExecuteReaderAsync(cancellationToken);
+        while (await reader.ReadAsync(cancellationToken))
+        {
+            results.Add(MapToFixIndexEntry(reader));
+        }
+
+        return results;
+    }
+
+    /// <inheritdoc />
+    public async Task<IReadOnlyList<FixIndexEntry>> GetFixLocationsForCveAsync(
+        string cveId,
+        CancellationToken cancellationToken = default)
+    {
+        const string sql = """
+            SELECT id, distro, release, source_pkg, cve_id, state, fixed_version,
+                   method, confidence, evidence_id, snapshot_id, indexed_at, updated_at
+            FROM binaries.cve_fix_index
+            WHERE cve_id = @cveId
+            ORDER BY distro, release, source_pkg
+            """;
+
+        await using var conn = await _dataSource.OpenConnectionAsync(cancellationToken);
+        await using var cmd = new NpgsqlCommand(sql, conn);
+        cmd.Parameters.AddWithValue("cveId", cveId);
+
+        var results = new List<FixIndexEntry>();
+        await using var reader = await cmd.ExecuteReaderAsync(cancellationToken);
+        while (await reader.ReadAsync(cancellationToken))
+        {
+            results.Add(MapToFixIndexEntry(reader));
+        }
+
+        return results;
+    }
+
+    /// <inheritdoc />
+    public async Task<FixIndexEntry> UpsertAsync(
+        FixEvidence evidence,
+        CancellationToken cancellationToken = default)
+    {
+        // First store evidence
+        var evidenceId = await StoreEvidenceAsync(evidence, cancellationToken);
+
+        const string sql = """
+            INSERT INTO binaries.cve_fix_index
+                (distro, release, source_pkg, cve_id, state, fixed_version, method, confidence, evidence_id, snapshot_id)
+            VALUES
+                (@distro, @release, @sourcePkg, @cveId, @state, @fixedVersion, @method, @confidence, @evidenceId, @snapshotId)
+            ON CONFLICT (tenant_id, distro, release, source_pkg, cve_id)
+            DO UPDATE SET
+                state = EXCLUDED.state,
+                fixed_version = EXCLUDED.fixed_version,
+                method = CASE
+                    WHEN binaries.cve_fix_index.confidence < EXCLUDED.confidence THEN EXCLUDED.method
+                    ELSE binaries.cve_fix_index.method
+                END,
+                confidence = GREATEST(binaries.cve_fix_index.confidence, EXCLUDED.confidence),
+                evidence_id = CASE
+                    WHEN binaries.cve_fix_index.confidence < EXCLUDED.confidence THEN EXCLUDED.evidence_id
+                    ELSE binaries.cve_fix_index.evidence_id
+                END,
+                snapshot_id = EXCLUDED.snapshot_id,
+                updated_at = now()
+            RETURNING id, distro, release, source_pkg, cve_id, state, fixed_version,
+                      method, confidence, evidence_id, snapshot_id, indexed_at, updated_at
+            """;
+
+        await using var conn = await _dataSource.OpenConnectionAsync(cancellationToken);
+        await using var cmd = new NpgsqlCommand(sql, conn);
+        cmd.Parameters.AddWithValue("distro", evidence.Distro);
+        cmd.Parameters.AddWithValue("release", evidence.Release);
+        cmd.Parameters.AddWithValue("sourcePkg", evidence.SourcePkg);
+        cmd.Parameters.AddWithValue("cveId", evidence.CveId);
+        cmd.Parameters.AddWithValue("state", evidence.State.ToString().ToLowerInvariant());
+        cmd.Parameters.AddWithValue("fixedVersion", (object?)evidence.FixedVersion ?? DBNull.Value);
+        cmd.Parameters.AddWithValue("method", evidence.Method.ToString().ToLowerInvariant());
+        cmd.Parameters.AddWithValue("confidence", evidence.Confidence);
+        cmd.Parameters.AddWithValue("evidenceId", evidenceId);
+        cmd.Parameters.AddWithValue("snapshotId", (object?)evidence.SnapshotId ?? DBNull.Value);
+
+        await using var reader = await cmd.ExecuteReaderAsync(cancellationToken);
+        await reader.ReadAsync(cancellationToken);
+        return MapToFixIndexEntry(reader);
+    }
+
+    /// <inheritdoc />
+    public async Task<int> UpsertBatchAsync(
+        IEnumerable<FixEvidence> evidenceList,
+        CancellationToken cancellationToken = default)
+    {
+        var count = 0;
+        foreach (var evidence in evidenceList)
+        {
+            await UpsertAsync(evidence, cancellationToken);
+            count++;
+        }
+        return count;
+    }
+
+    /// <inheritdoc />
+    public async Task<Guid> StoreEvidenceAsync(
+        FixEvidence evidence,
+        CancellationToken cancellationToken = default)
+    {
+        var (evidenceType, sourceFile, excerpt, metadata) = MapEvidencePayload(evidence.Evidence);
+
+        const string sql = """
+            INSERT INTO binaries.fix_evidence
+                (evidence_type, source_file, excerpt, metadata, snapshot_id)
+            VALUES
+                (@evidenceType, @sourceFile, @excerpt, @metadata::jsonb, @snapshotId)
+            RETURNING id
+            """;
+
+        await using var conn = await _dataSource.OpenConnectionAsync(cancellationToken);
+        await using var cmd = new NpgsqlCommand(sql, conn);
+        cmd.Parameters.AddWithValue("evidenceType", evidenceType);
+        cmd.Parameters.AddWithValue("sourceFile", (object?)sourceFile ?? DBNull.Value);
+        cmd.Parameters.AddWithValue("excerpt", (object?)excerpt ?? DBNull.Value);
+        cmd.Parameters.AddWithValue("metadata", NpgsqlDbType.Jsonb, metadata);
+        cmd.Parameters.AddWithValue("snapshotId", (object?)evidence.SnapshotId ?? DBNull.Value);
+
+        var result = await cmd.ExecuteScalarAsync(cancellationToken);
+        return (Guid)result!;
+    }
+
+    /// <inheritdoc />
+    public async Task<FixEvidenceRecord?> GetEvidenceAsync(
+        Guid evidenceId,
+        CancellationToken cancellationToken = default)
+    {
+        const string sql = """
+            SELECT id, evidence_type, source_file, source_sha256, excerpt, metadata::text, snapshot_id, created_at
+            FROM binaries.fix_evidence
+            WHERE id = @id
+            """;
+
+        await using var conn = await _dataSource.OpenConnectionAsync(cancellationToken);
+        await using var cmd = new NpgsqlCommand(sql, conn);
+        cmd.Parameters.AddWithValue("id", evidenceId);
+
+        await using var reader = await cmd.ExecuteReaderAsync(cancellationToken);
+        if (await reader.ReadAsync(cancellationToken))
+        {
+            return new FixEvidenceRecord
+            {
+                Id = reader.GetGuid(0),
+                EvidenceType = reader.GetString(1),
+                SourceFile = reader.IsDBNull(2) ? null : reader.GetString(2),
+                SourceSha256 = reader.IsDBNull(3) ? null : reader.GetString(3),
+                Excerpt = reader.IsDBNull(4) ? null : reader.GetString(4),
+                MetadataJson = reader.GetString(5),
+                SnapshotId = reader.IsDBNull(6) ? null : reader.GetGuid(6),
+                CreatedAt = reader.GetDateTime(7)
+            };
+        }
+
+        return null;
+    }
+
+    /// <inheritdoc />
+    public async Task<int> DeleteBySnapshotAsync(
+        Guid snapshotId,
+        CancellationToken cancellationToken = default)
+    {
+        const string sql = """
+            WITH deleted_index AS (
+                DELETE FROM binaries.cve_fix_index WHERE snapshot_id = @snapshotId RETURNING 1
+            ),
+            deleted_evidence AS (
+                DELETE FROM binaries.fix_evidence WHERE snapshot_id = @snapshotId RETURNING 1
+            )
+            SELECT (SELECT COUNT(*) FROM deleted_index) + (SELECT COUNT(*) FROM deleted_evidence)
+            """;
+
+        await using var conn = await _dataSource.OpenConnectionAsync(cancellationToken);
+        await using var cmd = new NpgsqlCommand(sql, conn);
+        cmd.Parameters.AddWithValue("snapshotId", snapshotId);
+
+        var result = await cmd.ExecuteScalarAsync(cancellationToken);
+        return Convert.ToInt32(result);
+    }
+
+    private static FixIndexEntry MapToFixIndexEntry(NpgsqlDataReader reader)
+    {
+        return new FixIndexEntry
+        {
+            Id = reader.GetGuid(0),
+            Distro = reader.GetString(1),
+            Release = reader.GetString(2),
+            SourcePkg = reader.GetString(3),
+            CveId = reader.GetString(4),
+            State = Enum.Parse<FixState>(reader.GetString(5), ignoreCase: true),
+            FixedVersion = reader.IsDBNull(6) ? null : reader.GetString(6),
+            Method = ParseFixMethod(reader.GetString(7)),
+            Confidence = reader.GetDecimal(8),
+            EvidenceId = reader.IsDBNull(9) ? null : reader.GetGuid(9),
+            SnapshotId = reader.IsDBNull(10) ? null : reader.GetGuid(10),
+            IndexedAt = reader.GetDateTime(11),
+            UpdatedAt = reader.GetDateTime(12)
+        };
+    }
+
+    private static FixMethod ParseFixMethod(string method)
+    {
+        return method.ToLowerInvariant() switch
+        {
+            "security_feed" => FixMethod.SecurityFeed,
+            "changelog" => FixMethod.Changelog,
+            "patch_header" => FixMethod.PatchHeader,
+            "upstream_match" => FixMethod.UpstreamPatchMatch,
+            _ => FixMethod.Changelog
+        };
+    }
+
+    private static (string Type, string? File, string? Excerpt, string Metadata) MapEvidencePayload(FixEvidencePayload payload)
+    {
+        return payload switch
+        {
+            ChangelogEvidence cl => (
+                "changelog",
+                cl.File,
+                cl.Excerpt,
+                JsonSerializer.Serialize(new { cl.Version, cl.LineNumber }, JsonOptions)
+            ),
+            PatchHeaderEvidence ph => (
+                "patch_header",
+                ph.PatchPath,
+                ph.HeaderExcerpt,
+                JsonSerializer.Serialize(new { ph.PatchSha256 }, JsonOptions)
+            ),
+            SecurityFeedEvidence sf => (
+                "security_feed",
+                null,
+                null,
+                JsonSerializer.Serialize(new { sf.FeedId, sf.EntryId, sf.PublishedAt }, JsonOptions)
+            ),
+            _ => ("unknown", null, null, "{}")
+        };
+    }
+}

src/BinaryIndex/__Tests/StellaOps.BinaryIndex.Core.Tests/FeatureExtractorTests.cs

@@ -0,0 +1,509 @@
+// -----------------------------------------------------------------------------
+// FeatureExtractorTests.cs
+// Sprint: SPRINT_20251226_011_BINIDX_known_build_catalog
+// Task: BINCAT-17 - Unit tests for identity extraction (ELF, PE, Mach-O)
+// Description: Unit tests for binary feature extraction across all formats
+// -----------------------------------------------------------------------------
+
+using FluentAssertions;
+using StellaOps.BinaryIndex.Core.Models;
+using StellaOps.BinaryIndex.Core.Services;
+using Xunit;
+
+namespace StellaOps.BinaryIndex.Core.Tests;
+
+public class ElfFeatureExtractorTests
+{
+    private readonly ElfFeatureExtractor _extractor = new();
+
+    [Fact]
+    public void CanExtract_WithElfMagic_ReturnsTrue()
+    {
+        // Arrange: ELF magic bytes
+        var elfBytes = new byte[] { 0x7F, 0x45, 0x4C, 0x46, 0x02, 0x01, 0x01, 0x00 };
+        using var stream = new MemoryStream(elfBytes);
+
+        // Act
+        var result = _extractor.CanExtract(stream);
+
+        // Assert
+        result.Should().BeTrue();
+    }
+
+    [Fact]
+    public void CanExtract_WithNonElfMagic_ReturnsFalse()
+    {
+        // Arrange: Not ELF
+        var notElf = new byte[] { 0x4D, 0x5A, 0x90, 0x00 }; // PE magic
+        using var stream = new MemoryStream(notElf);
+
+        // Act
+        var result = _extractor.CanExtract(stream);
+
+        // Assert
+        result.Should().BeFalse();
+    }
+
+    [Fact]
+    public void CanExtract_WithEmptyStream_ReturnsFalse()
+    {
+        // Arrange
+        using var stream = new MemoryStream();
+
+        // Act
+        var result = _extractor.CanExtract(stream);
+
+        // Assert
+        result.Should().BeFalse();
+    }
+
+    [Fact]
+    public async Task ExtractMetadataAsync_WithValidElf64_ReturnsCorrectMetadata()
+    {
+        // Arrange: Minimal ELF64 header (little-endian, x86_64, executable)
+        var elfHeader = CreateMinimalElf64Header(
+            machine: 0x3E,     // x86_64
+            type: 0x02,        // ET_EXEC
+            osabi: 0x03);      // Linux
+
+        using var stream = new MemoryStream(elfHeader);
+
+        // Act
+        var metadata = await _extractor.ExtractMetadataAsync(stream);
+
+        // Assert
+        metadata.Format.Should().Be(BinaryFormat.Elf);
+        metadata.Architecture.Should().Be("x86_64");
+        metadata.Type.Should().Be(BinaryType.Executable);
+    }
+
+    [Fact]
+    public async Task ExtractMetadataAsync_WithElf64SharedLib_ReturnsSharedLibrary()
+    {
+        // Arrange: ELF64 shared library
+        var elfHeader = CreateMinimalElf64Header(
+            machine: 0x3E,
+            type: 0x03,        // ET_DYN (shared object)
+            osabi: 0x03);
+
+        using var stream = new MemoryStream(elfHeader);
+
+        // Act
+        var metadata = await _extractor.ExtractMetadataAsync(stream);
+
+        // Assert
+        metadata.Type.Should().Be(BinaryType.SharedLibrary);
+    }
+
+    [Fact]
+    public async Task ExtractMetadataAsync_WithAarch64_ReturnsCorrectArchitecture()
+    {
+        // Arrange: ELF64 aarch64
+        var elfHeader = CreateMinimalElf64Header(
+            machine: 0xB7,     // aarch64
+            type: 0x02,
+            osabi: 0x03);
+
+        using var stream = new MemoryStream(elfHeader);
+
+        // Act
+        var metadata = await _extractor.ExtractMetadataAsync(stream);
+
+        // Assert
+        metadata.Architecture.Should().Be("aarch64");
+    }
+
+    [Fact]
+    public async Task ExtractIdentityAsync_ProducesConsistentBinaryKey()
+    {
+        // Arrange: Same ELF content
+        var elfHeader = CreateMinimalElf64Header(machine: 0x3E, type: 0x02, osabi: 0x03);
+
+        using var stream1 = new MemoryStream(elfHeader);
+        using var stream2 = new MemoryStream(elfHeader);
+
+        // Act
+        var identity1 = await _extractor.ExtractIdentityAsync(stream1);
+        var identity2 = await _extractor.ExtractIdentityAsync(stream2);
+
+        // Assert: Same content should produce same identity
+        identity1.BinaryKey.Should().Be(identity2.BinaryKey);
+        identity1.FileSha256.Should().Be(identity2.FileSha256);
+    }
+
+    private static byte[] CreateMinimalElf64Header(ushort machine, ushort type, byte osabi)
+    {
+        var header = new byte[64];
+
+        // ELF magic
+        header[0] = 0x7F;
+        header[1] = 0x45; // E
+        header[2] = 0x4C; // L
+        header[3] = 0x46; // F
+
+        // Class: 64-bit
+        header[4] = 0x02;
+        // Data: little-endian
+        header[5] = 0x01;
+        // Version
+        header[6] = 0x01;
+        // OS/ABI
+        header[7] = osabi;
+
+        // Type (little-endian)
+        BitConverter.GetBytes(type).CopyTo(header, 16);
+        // Machine (little-endian)
+        BitConverter.GetBytes(machine).CopyTo(header, 18);
+
+        return header;
+    }
+}
+
+public class PeFeatureExtractorTests
+{
+    private readonly PeFeatureExtractor _extractor = new();
+
+    [Fact]
+    public void CanExtract_WithDosMagic_ReturnsTrue()
+    {
+        // Arrange: DOS/PE magic bytes
+        var peBytes = CreateMinimalPeHeader();
+        using var stream = new MemoryStream(peBytes);
+
+        // Act
+        var result = _extractor.CanExtract(stream);
+
+        // Assert
+        result.Should().BeTrue();
+    }
+
+    [Fact]
+    public void CanExtract_WithElfMagic_ReturnsFalse()
+    {
+        // Arrange: ELF magic
+        var elfBytes = new byte[] { 0x7F, 0x45, 0x4C, 0x46, 0x02, 0x01, 0x01, 0x00 };
+        using var stream = new MemoryStream(elfBytes);
+
+        // Act
+        var result = _extractor.CanExtract(stream);
+
+        // Assert
+        result.Should().BeFalse();
+    }
+
+    [Fact]
+    public async Task ExtractMetadataAsync_WithPe64_ReturnsCorrectMetadata()
+    {
+        // Arrange: PE32+ x86_64 executable
+        var peHeader = CreateMinimalPeHeader(machine: 0x8664, characteristics: 0x0002);
+        using var stream = new MemoryStream(peHeader);
+
+        // Act
+        var metadata = await _extractor.ExtractMetadataAsync(stream);
+
+        // Assert
+        metadata.Format.Should().Be(BinaryFormat.Pe);
+        metadata.Architecture.Should().Be("x86_64");
+        metadata.Type.Should().Be(BinaryType.Executable);
+    }
+
+    [Fact]
+    public async Task ExtractMetadataAsync_WithDll_ReturnsSharedLibrary()
+    {
+        // Arrange: PE DLL
+        var peHeader = CreateMinimalPeHeader(
+            machine: 0x8664,
+            characteristics: 0x2002); // IMAGE_FILE_DLL | IMAGE_FILE_EXECUTABLE_IMAGE
+
+        using var stream = new MemoryStream(peHeader);
+
+        // Act
+        var metadata = await _extractor.ExtractMetadataAsync(stream);
+
+        // Assert
+        metadata.Type.Should().Be(BinaryType.SharedLibrary);
+    }
+
+    [Fact]
+    public async Task ExtractMetadataAsync_WithX86_ReturnsCorrectArchitecture()
+    {
+        // Arrange: PE32 x86
+        var peHeader = CreateMinimalPeHeader(machine: 0x014C, characteristics: 0x0002);
+        using var stream = new MemoryStream(peHeader);
+
+        // Act
+        var metadata = await _extractor.ExtractMetadataAsync(stream);
+
+        // Assert
+        metadata.Architecture.Should().Be("x86");
+    }
+
+    [Fact]
+    public async Task ExtractIdentityAsync_ProducesConsistentBinaryKey()
+    {
+        // Arrange: Same PE content
+        var peHeader = CreateMinimalPeHeader(machine: 0x8664, characteristics: 0x0002);
+
+        using var stream1 = new MemoryStream(peHeader);
+        using var stream2 = new MemoryStream(peHeader);
+
+        // Act
+        var identity1 = await _extractor.ExtractIdentityAsync(stream1);
+        var identity2 = await _extractor.ExtractIdentityAsync(stream2);
+
+        // Assert: Same content should produce same identity
+        identity1.BinaryKey.Should().Be(identity2.BinaryKey);
+        identity1.FileSha256.Should().Be(identity2.FileSha256);
+    }
+
+    private static byte[] CreateMinimalPeHeader(ushort machine = 0x8664, ushort characteristics = 0x0002)
+    {
+        var header = new byte[512];
+
+        // DOS header
+        header[0] = 0x4D; // M
+        header[1] = 0x5A; // Z
+
+        // e_lfanew at offset 0x3C
+        BitConverter.GetBytes(0x80).CopyTo(header, 0x3C);
+
+        // PE signature at offset 0x80
+        header[0x80] = 0x50; // P
+        header[0x81] = 0x45; // E
+        header[0x82] = 0x00;
+        header[0x83] = 0x00;
+
+        // COFF header at 0x84
+        BitConverter.GetBytes(machine).CopyTo(header, 0x84);       // Machine
+        BitConverter.GetBytes((ushort)0).CopyTo(header, 0x86);     // NumberOfSections
+        BitConverter.GetBytes((uint)0).CopyTo(header, 0x88);       // TimeDateStamp
+        BitConverter.GetBytes((uint)0).CopyTo(header, 0x8C);       // PointerToSymbolTable
+        BitConverter.GetBytes((uint)0).CopyTo(header, 0x90);       // NumberOfSymbols
+        BitConverter.GetBytes((ushort)240).CopyTo(header, 0x94);   // SizeOfOptionalHeader (PE32+)
+        BitConverter.GetBytes(characteristics).CopyTo(header, 0x96); // Characteristics
+
+        // Optional header magic at 0x98
+        BitConverter.GetBytes((ushort)0x20B).CopyTo(header, 0x98); // PE32+ magic
+
+        return header;
+    }
+}
+
+public class MachoFeatureExtractorTests
+{
+    private readonly MachoFeatureExtractor _extractor = new();
+
+    [Fact]
+    public void CanExtract_WithMacho64Magic_ReturnsTrue()
+    {
+        // Arrange: Mach-O 64-bit magic
+        var machoBytes = new byte[] { 0xCF, 0xFA, 0xED, 0xFE }; // MH_MAGIC_64 little-endian
+        using var stream = new MemoryStream(machoBytes);
+
+        // Act
+        var result = _extractor.CanExtract(stream);
+
+        // Assert
+        result.Should().BeTrue();
+    }
+
+    [Fact]
+    public void CanExtract_WithFatBinaryMagic_ReturnsTrue()
+    {
+        // Arrange: Universal binary magic
+        var fatBytes = new byte[] { 0xCA, 0xFE, 0xBA, 0xBE }; // FAT_MAGIC
+        using var stream = new MemoryStream(fatBytes);
+
+        // Act
+        var result = _extractor.CanExtract(stream);
+
+        // Assert
+        result.Should().BeTrue();
+    }
+
+    [Fact]
+    public void CanExtract_WithElfMagic_ReturnsFalse()
+    {
+        // Arrange: ELF magic
+        var elfBytes = new byte[] { 0x7F, 0x45, 0x4C, 0x46, 0x02, 0x01, 0x01, 0x00 };
+        using var stream = new MemoryStream(elfBytes);
+
+        // Act
+        var result = _extractor.CanExtract(stream);
+
+        // Assert
+        result.Should().BeFalse();
+    }
+
+    [Fact]
+    public async Task ExtractMetadataAsync_WithMacho64Executable_ReturnsCorrectMetadata()
+    {
+        // Arrange: Mach-O 64-bit x86_64 executable
+        var machoHeader = CreateMinimalMacho64Header(
+            cpuType: 0x01000007,   // CPU_TYPE_X86_64
+            fileType: 0x02);       // MH_EXECUTE
+
+        using var stream = new MemoryStream(machoHeader);
+
+        // Act
+        var metadata = await _extractor.ExtractMetadataAsync(stream);
+
+        // Assert
+        metadata.Format.Should().Be(BinaryFormat.Macho);
+        metadata.Architecture.Should().Be("x86_64");
+        metadata.Type.Should().Be(BinaryType.Executable);
+    }
+
+    [Fact]
+    public async Task ExtractMetadataAsync_WithDylib_ReturnsSharedLibrary()
+    {
+        // Arrange: Mach-O dylib
+        var machoHeader = CreateMinimalMacho64Header(
+            cpuType: 0x01000007,
+            fileType: 0x06);       // MH_DYLIB
+
+        using var stream = new MemoryStream(machoHeader);
+
+        // Act
+        var metadata = await _extractor.ExtractMetadataAsync(stream);
+
+        // Assert
+        metadata.Type.Should().Be(BinaryType.SharedLibrary);
+    }
+
+    [Fact]
+    public async Task ExtractMetadataAsync_WithArm64_ReturnsCorrectArchitecture()
+    {
+        // Arrange: Mach-O arm64
+        var machoHeader = CreateMinimalMacho64Header(
+            cpuType: 0x0100000C,   // CPU_TYPE_ARM64
+            fileType: 0x02);
+
+        using var stream = new MemoryStream(machoHeader);
+
+        // Act
+        var metadata = await _extractor.ExtractMetadataAsync(stream);
+
+        // Assert
+        metadata.Architecture.Should().Be("aarch64");
+    }
+
+    [Fact]
+    public async Task ExtractIdentityAsync_ProducesConsistentBinaryKey()
+    {
+        // Arrange: Same Mach-O content
+        var machoHeader = CreateMinimalMacho64Header(cpuType: 0x01000007, fileType: 0x02);
+
+        using var stream1 = new MemoryStream(machoHeader);
+        using var stream2 = new MemoryStream(machoHeader);
+
+        // Act
+        var identity1 = await _extractor.ExtractIdentityAsync(stream1);
+        var identity2 = await _extractor.ExtractIdentityAsync(stream2);
+
+        // Assert: Same content should produce same identity
+        identity1.BinaryKey.Should().Be(identity2.BinaryKey);
+        identity1.FileSha256.Should().Be(identity2.FileSha256);
+    }
+
+    private static byte[] CreateMinimalMacho64Header(int cpuType, uint fileType)
+    {
+        var header = new byte[32 + 256]; // Mach-O 64 header + space for load commands
+
+        // Magic (little-endian)
+        header[0] = 0xCF;
+        header[1] = 0xFA;
+        header[2] = 0xED;
+        header[3] = 0xFE;
+
+        // CPU type
+        BitConverter.GetBytes(cpuType).CopyTo(header, 4);
+        // CPU subtype
+        BitConverter.GetBytes(0).CopyTo(header, 8);
+        // File type
+        BitConverter.GetBytes(fileType).CopyTo(header, 12);
+        // Number of load commands
+        BitConverter.GetBytes((uint)0).CopyTo(header, 16);
+        // Size of load commands
+        BitConverter.GetBytes((uint)0).CopyTo(header, 20);
+        // Flags
+        BitConverter.GetBytes((uint)0).CopyTo(header, 24);
+        // Reserved (64-bit only)
+        BitConverter.GetBytes((uint)0).CopyTo(header, 28);
+
+        return header;
+    }
+}
+
+public class BinaryIdentityDeterminismTests
+{
+    [Fact]
+    public async Task AllExtractors_SameContent_ProduceSameHash()
+    {
+        // Arrange: Create identical binary content
+        var content = new byte[256];
+        new Random(42).NextBytes(content);
+
+        // ELF header
+        content[0] = 0x7F;
+        content[1] = 0x45;
+        content[2] = 0x4C;
+        content[3] = 0x46;
+        content[4] = 0x02; // 64-bit
+        content[5] = 0x01; // little-endian
+        BitConverter.GetBytes((ushort)0x3E).CopyTo(content, 18); // x86_64
+        BitConverter.GetBytes((ushort)0x02).CopyTo(content, 16); // executable
+
+        var extractor = new ElfFeatureExtractor();
+
+        // Act: Extract identity multiple times
+        using var stream1 = new MemoryStream(content);
+        using var stream2 = new MemoryStream(content);
+        using var stream3 = new MemoryStream(content);
+
+        var identity1 = await extractor.ExtractIdentityAsync(stream1);
+        var identity2 = await extractor.ExtractIdentityAsync(stream2);
+        var identity3 = await extractor.ExtractIdentityAsync(stream3);
+
+        // Assert: All identities should be identical
+        identity1.FileSha256.Should().Be(identity2.FileSha256);
+        identity2.FileSha256.Should().Be(identity3.FileSha256);
+        identity1.BinaryKey.Should().Be(identity2.BinaryKey);
+        identity2.BinaryKey.Should().Be(identity3.BinaryKey);
+    }
+
+    [Fact]
+    public async Task DifferentContent_ProducesDifferentHash()
+    {
+        // Arrange
+        var content1 = CreateMinimalElf(0x01);
+        var content2 = CreateMinimalElf(0x02);
+
+        var extractor = new ElfFeatureExtractor();
+
+        // Act
+        using var stream1 = new MemoryStream(content1);
+        using var stream2 = new MemoryStream(content2);
+
+        var identity1 = await extractor.ExtractIdentityAsync(stream1);
+        var identity2 = await extractor.ExtractIdentityAsync(stream2);
+
+        // Assert: Different content should produce different identities
+        identity1.FileSha256.Should().NotBe(identity2.FileSha256);
+    }
+
+    private static byte[] CreateMinimalElf(byte variant)
+    {
+        var header = new byte[64];
+        header[0] = 0x7F;
+        header[1] = 0x45;
+        header[2] = 0x4C;
+        header[3] = 0x46;
+        header[4] = 0x02;
+        header[5] = 0x01;
+        header[6] = variant; // Vary the version byte
+        BitConverter.GetBytes((ushort)0x3E).CopyTo(header, 18);
+        BitConverter.GetBytes((ushort)0x02).CopyTo(header, 16);
+        return header;
+    }
+}

src/BinaryIndex/__Tests/StellaOps.BinaryIndex.Core.Tests/FixIndex/ParserTests.cs

@@ -0,0 +1,388 @@
+// -----------------------------------------------------------------------------
+// ParserTests.cs
+// Sprint: SPRINT_20251226_012_BINIDX_backport_handling
+// Task: BACKPORT-19 — Unit tests for all parsers
+// -----------------------------------------------------------------------------
+
+using FluentAssertions;
+using StellaOps.BinaryIndex.FixIndex.Models;
+using StellaOps.BinaryIndex.FixIndex.Parsers;
+using Xunit;
+
+namespace StellaOps.BinaryIndex.Core.Tests.FixIndex;
+
+public class DebianChangelogParserTests
+{
+    private readonly DebianChangelogParser _sut = new();
+
+    [Fact]
+    public void ParseTopEntry_ExtractsCveFromChangelog()
+    {
+        // Arrange
+        var changelog = """
+            openssl (3.0.11-1~deb12u2) bookworm-security; urgency=high
+
+              * Fix CVE-2024-0727: PKCS12 decoding crash
+              * Fix CVE-2024-2511: memory leak in TLSv1.3
+
+             -- Debian Security Team <security@debian.org>  Mon, 15 Jan 2024 10:00:00 +0000
+
+            openssl (3.0.11-1~deb12u1) bookworm; urgency=medium
+
+              * Update to 3.0.11
+            """;
+
+        // Act
+        var results = _sut.ParseTopEntry(changelog, "debian", "bookworm", "openssl").ToList();
+
+        // Assert
+        results.Should().HaveCount(2);
+        results.Should().Contain(e => e.CveId == "CVE-2024-0727");
+        results.Should().Contain(e => e.CveId == "CVE-2024-2511");
+        results.Should().AllSatisfy(e =>
+        {
+            e.Distro.Should().Be("debian");
+            e.Release.Should().Be("bookworm");
+            e.SourcePkg.Should().Be("openssl");
+            e.State.Should().Be(FixState.Fixed);
+            e.FixedVersion.Should().Be("3.0.11-1~deb12u2");
+            e.Method.Should().Be(FixMethod.Changelog);
+            e.Confidence.Should().Be(0.80m);
+        });
+    }
+
+    [Fact]
+    public void ParseTopEntry_ReturnsEmptyForNoMention()
+    {
+        // Arrange
+        var changelog = """
+            package (1.0-1) stable; urgency=low
+
+              * Initial release
+
+             -- Maintainer <m@example.com>  Mon, 01 Jan 2024 12:00:00 +0000
+            """;
+
+        // Act
+        var results = _sut.ParseTopEntry(changelog, "debian", "stable", "package").ToList();
+
+        // Assert
+        results.Should().BeEmpty();
+    }
+
+    [Fact]
+    public void ParseTopEntry_HandlesEmptyChangelog()
+    {
+        // Act
+        var results = _sut.ParseTopEntry("", "debian", "stable", "package").ToList();
+
+        // Assert
+        results.Should().BeEmpty();
+    }
+
+    [Fact]
+    public void ParseTopEntry_DeduplicatesCves()
+    {
+        // Arrange - Same CVE mentioned twice
+        var changelog = """
+            package (1.0-1) stable; urgency=high
+
+              * Fix CVE-2024-1234 in parser
+              * Also addresses CVE-2024-1234 in handler
+
+             -- Maintainer <m@example.com>  Mon, 01 Jan 2024 12:00:00 +0000
+            """;
+
+        // Act
+        var results = _sut.ParseTopEntry(changelog, "debian", "stable", "package").ToList();
+
+        // Assert
+        results.Should().HaveCount(1);
+        results[0].CveId.Should().Be("CVE-2024-1234");
+    }
+}
+
+public class AlpineSecfixesParserTests
+{
+    private readonly AlpineSecfixesParser _sut = new();
+
+    [Fact]
+    public void Parse_ExtractsCvesFromSecfixes()
+    {
+        // Arrange
+        var apkbuild = """
+            pkgname=openssl
+            pkgver=3.1.4
+            pkgrel=1
+
+            # secfixes:
+            #   3.1.4-r0:
+            #     - CVE-2024-0727
+            #     - CVE-2024-2511
+            #   3.1.3-r0:
+            #     - CVE-2023-5678
+
+            build() {
+                ./configure
+            }
+            """;
+
+        // Act
+        var results = _sut.Parse(apkbuild, "alpine", "v3.19", "openssl").ToList();
+
+        // Assert
+        results.Should().HaveCount(3);
+
+        var v314 = results.Where(e => e.FixedVersion == "3.1.4-r0").ToList();
+        v314.Should().HaveCount(2);
+        v314.Should().Contain(e => e.CveId == "CVE-2024-0727");
+        v314.Should().Contain(e => e.CveId == "CVE-2024-2511");
+
+        var v313 = results.Where(e => e.FixedVersion == "3.1.3-r0").ToList();
+        v313.Should().HaveCount(1);
+        v313[0].CveId.Should().Be("CVE-2023-5678");
+
+        results.Should().AllSatisfy(e =>
+        {
+            e.Distro.Should().Be("alpine");
+            e.Release.Should().Be("v3.19");
+            e.State.Should().Be(FixState.Fixed);
+            e.Method.Should().Be(FixMethod.SecurityFeed);
+            e.Confidence.Should().Be(0.95m);
+        });
+    }
+
+    [Fact]
+    public void Parse_IgnoresNonSecfixesComments()
+    {
+        // Arrange
+        var apkbuild = """
+            # This is a regular comment
+            # CVE-2024-9999 is not in secfixes
+            pkgname=test
+            """;
+
+        // Act
+        var results = _sut.Parse(apkbuild, "alpine", "v3.19", "test").ToList();
+
+        // Assert
+        results.Should().BeEmpty();
+    }
+
+    [Fact]
+    public void Parse_StopsAtNonCommentLine()
+    {
+        // Arrange
+        var apkbuild = """
+            # secfixes:
+            #   1.0-r0:
+            #     - CVE-2024-1111
+            pkgname=test
+            #     - CVE-2024-2222
+            """;
+
+        // Act
+        var results = _sut.Parse(apkbuild, "alpine", "edge", "test").ToList();
+
+        // Assert
+        results.Should().HaveCount(1);
+        results[0].CveId.Should().Be("CVE-2024-1111");
+    }
+}
+
+public class PatchHeaderParserTests
+{
+    private readonly PatchHeaderParser _sut = new();
+
+    [Fact]
+    public void ParsePatches_ExtractsCveFromHeader()
+    {
+        // Arrange
+        var patches = new[]
+        {
+            (
+                Path: "debian/patches/CVE-2024-1234.patch",
+                Content: """
+                    Description: Fix buffer overflow
+                    Origin: upstream, https://github.com/proj/commit/abc123
+                    Bug-Debian: https://bugs.debian.org/123456
+                    CVE: CVE-2024-1234
+                    Applied-Upstream: 2.0.0
+
+                    --- a/src/parser.c
+                    +++ b/src/parser.c
+                    @@ -100,6 +100,8 @@
+                    """,
+                Sha256: "abc123def456"
+            )
+        };
+
+        // Act
+        var results = _sut.ParsePatches(patches, "debian", "bookworm", "libfoo", "1.2.3-1").ToList();
+
+        // Assert
+        results.Should().HaveCount(1);
+        results[0].CveId.Should().Be("CVE-2024-1234");
+        results[0].Method.Should().Be(FixMethod.PatchHeader);
+        results[0].FixedVersion.Should().Be("1.2.3-1");
+        results[0].Evidence.Should().BeOfType<PatchHeaderEvidence>();
+
+        var evidence = (PatchHeaderEvidence)results[0].Evidence;
+        evidence.PatchPath.Should().Be("debian/patches/CVE-2024-1234.patch");
+        evidence.PatchSha256.Should().Be("abc123def456");
+    }
+
+    [Fact]
+    public void ParsePatches_ExtractsCveFromFilename()
+    {
+        // Arrange - CVE only in filename, not header
+        var patches = new[]
+        {
+            (
+                Path: "CVE-2024-5678.patch",
+                Content: """
+                    Fix memory leak
+
+                    --- a/foo.c
+                    +++ b/foo.c
+                    """,
+                Sha256: "sha256hash"
+            )
+        };
+
+        // Act
+        var results = _sut.ParsePatches(patches, "ubuntu", "jammy", "bar", "1.0").ToList();
+
+        // Assert
+        results.Should().HaveCount(1);
+        results[0].CveId.Should().Be("CVE-2024-5678");
+    }
+
+    [Fact]
+    public void ParsePatches_ReturnsEmptyForNoCve()
+    {
+        // Arrange
+        var patches = new[]
+        {
+            (
+                Path: "fix-typo.patch",
+                Content: "--- a/README\n+++ b/README",
+                Sha256: "hash"
+            )
+        };
+
+        // Act
+        var results = _sut.ParsePatches(patches, "debian", "sid", "pkg", "1.0").ToList();
+
+        // Assert
+        results.Should().BeEmpty();
+    }
+}
+
+public class RpmChangelogParserTests
+{
+    private readonly RpmChangelogParser _sut = new();
+
+    [Fact]
+    public void ParseTopEntry_ExtractsCveFromSpecChangelog()
+    {
+        // Arrange
+        var spec = """
+            Name: openssl
+            Version: 3.0.7
+            Release: 27.el9
+
+            %description
+            OpenSSL toolkit
+
+            %changelog
+            * Mon Jan 15 2024 Security Team <security@redhat.com> - 3.0.7-27
+            - Fix CVE-2024-0727: PKCS12 crash
+            - Fix CVE-2024-2511: memory leak
+
+            * Tue Dec 05 2023 Security Team <security@redhat.com> - 3.0.7-26
+            - Fix CVE-2023-5678
+            """;
+
+        // Act
+        var results = _sut.ParseTopEntry(spec, "rhel", "9", "openssl").ToList();
+
+        // Assert
+        results.Should().HaveCount(2);
+        results.Should().Contain(e => e.CveId == "CVE-2024-0727");
+        results.Should().Contain(e => e.CveId == "CVE-2024-2511");
+        results.Should().AllSatisfy(e =>
+        {
+            e.Distro.Should().Be("rhel");
+            e.Release.Should().Be("9");
+            e.FixedVersion.Should().Be("3.0.7-27");
+            e.Method.Should().Be(FixMethod.Changelog);
+            e.Confidence.Should().Be(0.75m);
+        });
+    }
+
+    [Fact]
+    public void ParseAllEntries_ExtractsFromMultipleEntries()
+    {
+        // Arrange
+        var spec = """
+            %changelog
+            * Mon Jan 15 2024 Packager <p@example.com> - 2.0-1
+            - Fix CVE-2024-1111
+
+            * Mon Dec 01 2023 Packager <p@example.com> - 1.9-1
+            - Fix CVE-2023-2222
+            - Fix CVE-2023-3333
+            """;
+
+        // Act
+        var results = _sut.ParseAllEntries(spec, "fedora", "39", "pkg").ToList();
+
+        // Assert
+        results.Should().HaveCount(3);
+
+        var v20 = results.Where(e => e.FixedVersion == "2.0-1").ToList();
+        v20.Should().HaveCount(1);
+        v20[0].CveId.Should().Be("CVE-2024-1111");
+
+        var v19 = results.Where(e => e.FixedVersion == "1.9-1").ToList();
+        v19.Should().HaveCount(2);
+    }
+
+    [Fact]
+    public void ParseTopEntry_StopsAtSecondEntry()
+    {
+        // Arrange
+        var spec = """
+            %changelog
+            * Mon Jan 15 2024 P <p@x.com> - 2.0-1
+            - Fix CVE-2024-1111
+
+            * Mon Dec 01 2023 P <p@x.com> - 1.9-1
+            - Fix CVE-2023-2222
+            """;
+
+        // Act
+        var results = _sut.ParseTopEntry(spec, "centos", "9", "pkg").ToList();
+
+        // Assert
+        results.Should().HaveCount(1);
+        results[0].CveId.Should().Be("CVE-2024-1111");
+    }
+
+    [Fact]
+    public void ParseTopEntry_HandlesNoChangelog()
+    {
+        // Arrange
+        var spec = """
+            Name: test
+            Version: 1.0
+            """;
+
+        // Act
+        var results = _sut.ParseTopEntry(spec, "rhel", "9", "test").ToList();
+
+        // Assert
+        results.Should().BeEmpty();
+    }
+}

src/BinaryIndex/__Tests/StellaOps.BinaryIndex.Core.Tests/StellaOps.BinaryIndex.Core.Tests.csproj

@@ -0,0 +1,29 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <LangVersion>preview</LangVersion>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <IsPackable>false</IsPackable>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="FluentAssertions" Version="6.12.0" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.11.0" />
+    <PackageReference Include="xunit" Version="2.9.0" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="2.8.2">
+      <PrivateAssets>all</PrivateAssets>
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
+    </PackageReference>
+    <PackageReference Include="coverlet.collector" Version="6.0.2">
+      <PrivateAssets>all</PrivateAssets>
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
+    </PackageReference>
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\__Libraries\StellaOps.BinaryIndex.Core\StellaOps.BinaryIndex.Core.csproj" />
+  </ItemGroup>
+
+</Project>